Package impact

COMPOSER / symfony/symfony

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-45074	medium	—	5.5	8d ago	Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
CVE-2026-45075	medium	—	5.5	8d ago	Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
CVE-2026-45068	medium	—	5.5	8d ago	Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
CVE-2026-45069	medium	—	5.5	8d ago	Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
CVE-2026-45064	medium	—	5.5	8d ago	Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
CVE-2026-45070	medium	—	5.5	8d ago	Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names
CVE-2026-45065	medium	—	5.5	8d ago	Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
CVE-2026-45066	medium	—	5.5	8d ago	Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
CVE-2026-45073	medium	—	5.5	8d ago	Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
CVE-2026-45305	low	—	2.5	8d ago	Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
CVE-2026-45071	low	—	2.5	8d ago	Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
CVE-2026-45072	low	—	2.5	8d ago	Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
CVE-2026-45133	low	—	2.5	8d ago	Symfony hardened the parser when handling untrusted input
CVE-2026-45304	low	—	2.5	8d ago	Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")