VIR Vulnerability Intelligence Relay

Package impact

php Packagist / symfony/symfony

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2016-2403 critical 9.8 9.8 9y ago Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. debianphp
CVE-2026-45063 high 8.0 8d ago Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator debianphp
CVE-2026-45077 high 8.0 8d ago Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener debianphp
CVE-2026-45067 high 8.0 8d ago Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address debianphp
CVE-2016-4423 high 7.5 7.5 10y ago The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x befo… debianphp
CVE-2016-1902 high 7.5 7.5 10y ago The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the par… debianphp
CVE-2015-8125 high 7.5 11y ago Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/… debianphp
CVE-2013-1397 high 7.5 12y ago Symfony Arbitrary PHP code Execution php
CVE-2013-1348 high 7.5 12y ago Symphony Vulnerable to PHP Code Injection via YAML Parsing php
CVE-2015-8124 medium 6.8 11y ago Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess… debianphp
CVE-2015-2308 medium 6.8 11y ago Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP … debianphp
CVE-2012-6432 medium 6.8 14y ago Symfony Access Control Vulnerability php
CVE-2012-6431 medium 6.4 14y ago Symfony Allows URI Restrictions Bypass Via Double-Encoded String php
CVE-2026-45066 medium 5.5 8d ago Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification debianphp
CVE-2026-45075 medium 5.5 8d ago Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] debianphp
CVE-2026-45073 medium 5.5 8d ago Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix debianphp
CVE-2026-45068 medium 5.5 8d ago Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address debianphp
CVE-2026-45064 medium 5.5 8d ago Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing debianphp
CVE-2026-45069 medium 5.5 8d ago Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims debianphp
CVE-2026-45065 medium 5.5 8d ago Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection debianphp
CVE-2026-45074 medium 5.5 8d ago Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay debianphp
CVE-2026-45070 medium 5.5 8d ago Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names debianphp
CVE-2018-14773 medium 5.5 4y ago An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises … archdebianphp
CVE-2013-5958 medium 5.0 12y ago The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon… debianphp
CVE-2015-4050 medium 4.3 11y ago FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if … debianphp
CVE-2026-45071 low 2.5 8d ago Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true debianphp
CVE-2026-45305 low 2.5 8d ago Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex debianphp
CVE-2026-45304 low 2.5 8d ago Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") debianphp
CVE-2026-45133 low 2.5 8d ago Symfony hardened the parser when handling untrusted input debianphp
CVE-2026-45072 low 2.5 8d ago Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering debianphp
CVE-2026-48736 unknown 2d ago CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient debianphp
CVE-2026-48489 unknown 2d ago CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes debianphp
CVE-2026-48784 unknown 2d ago CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization debianphp
CVE-2026-48761 unknown 2d ago CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content debianphp
CVE-2026-48760 unknown 2d ago CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense debianphp
CVE-2026-48747 unknown 2d ago CVE-2026-48747: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade debianphp
CVE-2026-47212 unknown 8d ago CVE-2026-47212: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauthenticated Webhook Event Injection debianphp
CVE-2026-45753 unknown 8d ago CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS) debianphp
CVE-2026-45754 unknown 8d ago CVE-2026-45754: Mailjet Mailer and LOX24 Notifier Webhook Parsers Never Verify the Configured Secret: Unauthenticated Webhook Event Injection debianphp
CVE-2026-45755 unknown 8d ago CVE-2026-45755: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC: Unauthenticated Webhook Event Injection debianphp
CVE-2026-45756 unknown 8d ago CVE-2026-45756: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits: ReDoS debianphp
CVE-2026-46626 unknown 8d ago CVE-2026-46626: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch debianphp
CVE-2026-24739 unknown 4mo ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not cor… debianphp
CVE-2025-64500 unknown 7mo ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Start… debianphp
CVE-2024-51736 unknown 2y ago Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory i… debianphp
CVE-2024-50343 unknown 2y ago symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metachar… debianphp
CVE-2024-50342 unknown 2y ago symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, so… debianphp
CVE-2024-50341 unknown 2y ago symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` define… debianphp
CVE-2024-50340 unknown 2y ago symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any… debianphp
CVE-2014-6072 unknown 2y ago Symfony Cross-Site Request Forgery vulnerability in the Web Profiler php
CVE-2014-5245 unknown 2y ago Symfony allows direct access of ESI URLs behind a trusted proxy php
CVE-2015-2309 unknown 2y ago Symfony has unsafe methods in the Request class debianphp
CVE-2014-6061 unknown 2y ago Symfony has a security issue when parsing the Authorization header php
CVE-2014-5244 unknown 2y ago Symfony vulnerable to denial of service via a malicious HTTP Host header php
CVE-2014-4931 unknown 2y ago Code injection in the way Symfony implements translation caching in FrameworkBundle php
CVE-2023-46735 unknown 3y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` return… debianphp
CVE-2023-46734 unknown 3y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Tw… debianphp
CVE-2023-46733 unknown 3y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListene… debianphp
CVE-2022-24894 unknown 3y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers… debianphp
CVE-2022-24895 unknown 3y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the… debianphp
CVE-2017-11365 unknown 4y ago Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The compo… debianphp
CVE-2018-11407 unknown 4y ago An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by l… debianphp
CVE-2017-16790 unknown 4y ago An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST … debianphp
CVE-2018-14774 unknown 4y ago An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using Http… debianphp
CVE-2018-11385 unknown 4y ago An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerabil… debianphp
CVE-2017-16652 unknown 4y ago An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler t… debianphp
CVE-2017-16654 unknown 4y ago An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the … debianphp
CVE-2018-11408 unknown 4y ago The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnera… debianphp
CVE-2018-11386 unknown 4y ago An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler c… debianphp
CVE-2018-11406 unknown 4y ago An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session … debianphp
CVE-2018-19789 unknown 4y ago An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `strin… debianphp
CVE-2018-19790 unknown 4y ago An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_f… debianphp
CVE-2017-16653 unknown 4y ago An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token… debianphp
CVE-2013-4752 unknown 4y ago Symfony Host Header Injection vulnerability in the HttpFoundation component php
CVE-2013-4751 unknown 4y ago Symfony collectionCascaded and collectionCascadedDeeply fields security bypass php
CVE-2019-18887 unknown 4y ago An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/h… debianphp
CVE-2021-41270 unknown 5y ago Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 bef… debianphp
CVE-2021-41268 unknown 5y ago Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version… debianphp
CVE-2021-41267 unknown 5y ago Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers"… debianphp
CVE-2021-32693 unknown 5y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prio… debianphp
CVE-2021-21424 unknown 5y ago Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de… debianphp
CVE-2020-15094 unknown 6y ago In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… debianphp
CVE-2020-5275 unknown 6y ago In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides … debianphp
CVE-2020-5274 unknown 6y ago In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even … debianphp
CVE-2020-5255 unknown 6y ago In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r… debianphp
CVE-2019-10911 unknown 6y ago In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with… debianphp
CVE-2019-10912 unknown 6y ago In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul… debianphp
CVE-2019-11325 unknown 6y ago An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar… debianphp
CVE-2019-10913 unknown 7y ago In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu… debianphp
CVE-2019-18886 unknown 7y ago An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor… debianphp
CVE-2019-18888 unknown 7y ago An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM… debianphp
CVE-2019-18889 unknown 7y ago An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel… debianphp
CVE-2019-10910 unknown 7y ago In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec… debianphp
CVE-2019-10909 unknown 7y ago In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th… debianphp