VIR Vulnerability Intelligence Relay

Package impact

php Packagist / symfony/symfony

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2016-2403 critical 9.8 9.8 9y ago Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. debianphp
CVE-2026-45063 high 8.0 8d ago Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator debianphp
CVE-2026-45067 high 8.0 8d ago Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address debianphp
CVE-2026-45077 high 8.0 8d ago Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener debianphp
CVE-2016-4423 high 7.5 7.5 10y ago The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x befo… debianphp
CVE-2016-1902 high 7.5 7.5 10y ago The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the par… debianphp
CVE-2015-8125 high 7.5 11y ago Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/… debianphp
CVE-2013-1397 high 7.5 12y ago Symfony Arbitrary PHP code Execution php
CVE-2013-1348 high 7.5 12y ago Symphony Vulnerable to PHP Code Injection via YAML Parsing php
CVE-2015-8124 medium 6.8 11y ago Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess… debianphp
CVE-2015-2308 medium 6.8 11y ago Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP … debianphp
CVE-2012-6432 medium 6.8 14y ago Symfony Access Control Vulnerability php
CVE-2012-6431 medium 6.4 14y ago Symfony Allows URI Restrictions Bypass Via Double-Encoded String php
CVE-2026-45070 medium 5.5 8d ago Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names debianphp
CVE-2026-45065 medium 5.5 8d ago Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection debianphp
CVE-2026-45069 medium 5.5 8d ago Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims debianphp
CVE-2026-45064 medium 5.5 8d ago Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing debianphp
CVE-2026-45066 medium 5.5 8d ago Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification debianphp
CVE-2026-45068 medium 5.5 8d ago Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address debianphp
CVE-2026-45073 medium 5.5 8d ago Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix debianphp
CVE-2026-45075 medium 5.5 8d ago Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid] debianphp
CVE-2026-45074 medium 5.5 8d ago Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay debianphp
CVE-2018-14773 medium 5.5 4y ago An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises … archdebianphp
CVE-2013-5958 medium 5.0 12y ago The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a lon… debianphp
CVE-2015-4050 medium 4.3 11y ago FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if … debianphp
CVE-2026-45133 low 2.5 8d ago Symfony hardened the parser when handling untrusted input debianphp
CVE-2026-45305 low 2.5 8d ago Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex debianphp
CVE-2026-45304 low 2.5 8d ago Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs") debianphp
CVE-2026-45072 low 2.5 8d ago Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering debianphp
CVE-2026-45071 low 2.5 8d ago Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true debianphp
CVE-2026-45755 unknown 8d ago Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection debianphp
CVE-2026-45756 unknown 8d ago Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS debianphp
CVE-2026-45754 unknown 8d ago Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection debianphp
CVE-2026-45753 unknown 8d ago Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) debianphp