« Security Advisories » blog posts

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

Remembering Ryan Weaver: Teacher, Core Team Member, Friend

CVE-2024-50340: Ability to change environment from query

CVE-2024-50340: Ability to change environment from query
November 6, 2024 #Security Advisories ❤️ 2 🚀 1

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient
November 6, 2024 #Security Advisories

Twig security release: Possible sandbox bypass

Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
September 9, 2024 #Security Advisories ❤️ 7

CVE-2023-46735: Potential XSS in WebhookController

CVE-2023-46735: Potential XSS in WebhookController
November 10, 2023 #Security Advisories

CVE-2023-46733: Possible session fixation

CVE-2023-46733: Possible session fixation
November 10, 2023 #Security Advisories

CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters

CVE-2023-46734: Potential XSS vulnerabilities in CodeExtension filters
November 10, 2023 #Security Advisories

CVE-2023-41336: symfony/ux-autocomplete Prevent injection of invalid entity ids for "autocomplete" fields

Security bug release for symfony/ux-autocomplete CVE-2023-41336
September 11, 2023 #Security Advisories
CVE-2022-24894: Prevent storing cookie headers in HttpCache.
February 1, 2023 #Security Advisories

CVE-2022-24895: CSRF token fixation

CVE-2022-24895: CSRF token fixation.
February 1, 2023 #Security Advisories

CVE-2022-23601: CSRF token missing in forms

CVE-2022-23601 fixes CSRF token missing in forms.
January 29, 2022 #Security Advisories