CVE Daily
← All tags

Tag: Symfony

All CVEs associated with "Symfony". Page 1/2 • 129 CVEs.

About “Symfony”

A curated feed of “Symfony”-related CVEs appears below. We currently track 129 CVEs for this tag (all time). In the last 365 days, 17 were published. Average CVSS is 6.4 (all time; 5.8 over 365d), and 36% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-327 - Use of a Broken or Risky Cryptographic Algorithm.

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: symfony

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestPremier SupportEOLLTS
8.18.1.0
8.08.0.13 Soon
7.47.4.13LTS
7.37.3.11 Expired
7.27.2.9 Expired
7.17.1.11 Expired
7.07.0.10 Expired
6.46.4.41LTS
6.36.3.12 Expired
6.26.2.14 Expired
6.16.1.12 Expired
6.06.0.20 Expired
5.45.4.53LTS
5.35.3.16 Expired
5.25.2.14 Expired
5.15.1.11 Expired
5.05.0.11 Expired
4.44.4.51 ExpiredLTS
4.34.3.11 Expired
4.24.2.12 Expired
4.14.1.13 Expired
4.04.0.15 Expired
3.43.4.49 ExpiredLTS
3.33.3.18 Expired
3.23.2.14 Expired
3.13.1.10 Expired
3.03.0.9 Expired
2.82.8.52 ExpiredLTS
2.72.7.52 ExpiredLTS
2.32.3.42 ExpiredLTS

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Symfony”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-06-01
Medium

CVE-2026-45701

Sulu is an open-source PHP content management system based on the Symfony framework. Prior to versions 2.6.23 and 3.0.6, the password reset tokenand API key generation uses a weak cryptographical has…

CVSS: 6.9 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2026-05-08
Low

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
2026-04-14
High

CVE-2026-33715

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because…

CVSS: 7.2 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2026-03-31
Low

CVE-2026-34372

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin vi…

CVSS: 2.7 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
2026-03-10
Medium

CVE-2026-31825

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctr…

CVSS: 5.3 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerabilit…

CVSS: 8.2 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to uns…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-31822

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other re…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs…

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2026-30964

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. Prior to 5.2.4, when allo…

CVSS: 5.4 CWE: CWE-346 - Origin Validation Error View on NVD
2026-03-04
High

CVE-2026-28695

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process…

CVSS: 7.2 CWE: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine View on NVD
2026-01-28
Medium

CVE-2026-24739

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not cor…

CVSS: 6.3 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
2025-12-17
Medium

CVE-2025-68129

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper val…

CVSS: 6.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2025-11-12
High

CVE-2025-64500

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Start…

CVSS: 7.3 CWE: CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions View on NVD
2025-10-01
Low

CVE-2025-58769

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wr…

CVSS: 3.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2025-06-03
Critical

CVE-2025-48951

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SD…

CVSS: 9.3 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2025-05-19
Medium

CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAt…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2025-05-15
Critical

CVE-2025-47275

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK confi…

CVSS: 9.1 CWE: CWE-287 - Improper Authentication View on NVD
2025-05-14
Medium

CVE-2025-47778

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data vi…

CVSS: 6.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2025-04-15
Critical

CVE-2025-3579

In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-04-08
Medium

CVE-2025-30150

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using…

CVSS: 5.3 CWE: CWE-204 - Observable Response Discrepancy View on NVD
2025-03-24
Medium

CVE-2025-2689

A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator of the file symfony\finder\Iterator\SortableIterator…

CVSS: 6.3 CWE: CWE-20 - Improper Input Validation View on NVD
2025-01-09
High

CVE-2024-13250

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Drupal Symfony Mailer Lite allows Cross Site Request Forgery.This issue affects Drupal Symfony Mailer Lite: from 0.0.0 before 1.0.6.

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2024-11-29
High

CVE-2024-36611

In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request i…

CVSS: 7.5 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-11-13
High

CVE-2024-51996

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted i…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2024-11-06
Low

CVE-2024-50345

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters t…

CVSS: 3.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Low

CVE-2024-50343

symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metachar…

CVSS: 3.1 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2024-50342

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, so…

CVSS: 3.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2024-50341

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` define…

CVSS: 3.1 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2024-50340

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any…

CVSS: 7.3 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2024-09-10
High

CVE-2024-45592

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript…

CVSS: 8.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-08-29
Medium

CVE-2024-6551

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.15.1. This is due to the plugin utilizing Symf…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-08-08
Medium

CVE-2024-6552

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Sym…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-07-17
Medium

CVE-2024-40633

Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incrementa…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2024-07-15
Medium

CVE-2024-39912

web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. The ProfileBasedRequestOp…

CVSS: 5.3 CWE: CWE-204 - Observable Response Discrepancy View on NVD
2024-04-08
Medium

CVE-2024-31447

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store…

CVSS: 5.3 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2024-03-22
Critical

CVE-2024-28861

Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangero…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-03-15
Medium

CVE-2024-28859

Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable…

CVSS: 5.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-03-06
High

CVE-2024-27917

Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are…

CVSS: 7.5 CWE: CWE-524 - Use of Cache Containing Sensitive Information View on NVD
Medium

CVE-2024-27915

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security…

CVSS: 6.8 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-02-05
Low

CVE-2024-24807

Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name i…

CVSS: 2.7 CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) View on NVD
2023-11-10
Medium

CVE-2023-46735

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` return…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-46734

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Tw…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-46733

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListene…

CVSS: 6.5 CWE: CWE-384 - Session Fixation View on NVD
2023-09-11
Medium

CVE-2023-41336

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the v…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2023-08-04
Medium

CVE-2023-39343

Sulu is an open-source PHP content management system based on the Symfony framework. It allows over the Admin Login form to detect which user (username, email) exists and which one do not exist. Sulu…

CVSS: 4.3 CWE: CWE-204 - Observable Response Discrepancy View on NVD
2023-03-17
Critical

CVE-2023-28115

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2023-02-03
Medium

CVE-2022-24895

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the…

CVSS: 6.3 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2022-24894

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers…

CVSS: 5.9 CWE: CWE-285 - Improper Authorization View on NVD
2023-01-17
Medium

CVE-2023-22734

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double o…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Low

CVE-2023-22733

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the l…

CVSS: 2.7 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Low

CVE-2023-22732

Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they coul…

CVSS: 3.7 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Critical

CVE-2023-22731

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters l…

CVSS: 9.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2023-22730

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Va…

CVSS: 5.3 CWE: CWE-20 - Improper Input Validation View on NVD
2022-04-20
High

CVE-2022-24872

Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to updat…

CVSS: 8.1 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2022-24871

Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Us…

CVSS: 7.2 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2022-04-06
Medium

CVE-2022-27108

OrangeHRM 4.10 is vulnerable to Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet`. Any user can create a timesheet in another user's account.

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2022-03-15
Critical

CVE-2022-24752

SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2022-03-09
Medium

CVE-2022-24748

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2022-24747

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable.…

CVSS: 6.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2022-24746

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2022-24745

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled.…

CVSS: 4.8 CWE: CWE-384 - Session Fixation View on NVD
Low

CVE-2022-24744

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password…

CVSS: 2.6 CWE: CWE-613 - Insufficient Session Expiration View on NVD
2022-02-01
High

CVE-2022-23601

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in t…

CVSS: 8.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2021-12-15
High

CVE-2021-43836

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration…

CVSS: 8.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
High

CVE-2021-43835

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions Sulu users who have access to any subset of the admin UI are able to elevate their privilege.…

CVSS: 7.2 CWE: CWE-269 - Improper Privilege Management View on NVD
2021-11-24
Medium

CVE-2021-41270

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 bef…

CVSS: 6.5 CWE: CWE-1236 - Improper Neutralization of Formula Elements in a CSV File View on NVD
Medium

CVE-2021-41268

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version…

CVSS: 6.5 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2021-41267

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers"…

CVSS: 6.5 CWE: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') View on NVD
2021-10-21
Medium

CVE-2021-41169

Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not pro…

CVSS: 6.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-07-02
High

CVE-2021-32737

Sulu is an open-source PHP content management system based on the Symfony framework. In versions of Sulu prior to 1.6.41, it is possible for a logged in admin user to add a script injection (cross-si…

CVSS: 8.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-06-28
Medium

CVE-2021-32720

Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-06-17
Medium

CVE-2021-32693

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prio…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2021-05-13
Medium

CVE-2021-21424

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-03-23
Medium

CVE-2021-27908

In all versions prior to Mautic 3.3.2, secret parameters such as database credentials could be exposed publicly by an authorized admin user through leveraging Symfony parameter syntax in any of the f…

CVSS: 5.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-09-02
High

CVE-2020-15094

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X…

CVSS: 8.0 CWE: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer View on NVD
2020-08-20
Critical

CVE-2020-15146

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized prop…

CVSS: 9.6 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2020-15143

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized pro…

CVSS: 7.7 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2020-03-30
High

CVE-2020-5275

In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides…

CVSS: 7.6 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2020-5274

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even…

CVSS: 4.6 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Low

CVE-2020-5255

In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r…

CVSS: 2.6 CWE: CWE-435 - Improper Interaction Between Multiple Correctly-Behaving Entities View on NVD
2020-01-02
Medium

CVE-2013-4752

Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-12-29
Medium

CVE-2019-20058

Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS because unsanitized search?search= input is shown on the _profiler page. NOTE: this is disputed because profiling was never intended for use in…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-12-05
Low

CVE-2019-16768

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and prop…

CVSS: 3.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
2019-11-21
Critical

CVE-2019-18889

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is rel…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2019-18888

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIM…

CVSS: 7.5 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
High

CVE-2019-18887

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/h…

CVSS: 8.1 CWE: CWE-203 - Observable Discrepancy View on NVD
Critical

CVE-2019-11325

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrar…

CVSS: 9.8 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
Medium

CVE-2019-18886

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthor…

CVSS: 5.3 CWE: CWE-203 - Observable Discrepancy View on NVD
2019-05-23
Critical

CVE-2017-11365

Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The compo…

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
2019-05-16
Critical

CVE-2019-10913

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted inpu…

CVSS: 9.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this coul…

CVSS: 7.1 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2019-10911

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2019-10910

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code exec…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. Th…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-12-18
Medium

CVE-2018-19790

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_f…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Medium

CVE-2018-19789

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `strin…

CVSS: 5.3 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2018-08-06
Medium

CVE-2017-16790

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user, the request handler classes of the Form component merge POST…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2017-16654

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2017-16653

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different token…

CVSS: 5.9 CWE: N/A View on NVD
2018-08-03
High

CVE-2018-14774

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using Http…

CVSS: 7.2 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2018-14773

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises…

CVSS: 6.5 CWE: N/A View on NVD
2018-07-20
Medium

CVE-2017-18343

The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as de…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2018-06-13
Medium

CVE-2018-12040

Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _pro…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2018-11408

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnera…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
Critical

CVE-2018-11407

An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by l…

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2018-11406

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2018-11386

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler c…

CVSS: 5.9 CWE: CWE-613 - Insufficient Session Expiration View on NVD
High

CVE-2018-11385

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerabil…

CVSS: 8.1 CWE: CWE-384 - Session Fixation View on NVD
Medium

CVE-2017-16652

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler t…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2017-02-07
Critical

CVE-2016-2403

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2016-06-01
High

CVE-2016-4423

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x befo…

CVSS: 7.5 CWE: CWE-399 View on NVD
High

CVE-2016-1902

The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the par…

CVSS: 7.5 CWE: CWE-310 View on NVD
2015-12-07
High

CVE-2015-8125

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2015-8124

Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a sess…

CVSS: 6.8 CWE: N/A View on NVD
2015-06-24
Medium

CVE-2015-2308

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2015-06-02
Medium

CVE-2015-4050

FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
2015-01-13
Medium

CVE-2014-100021

Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[emplo…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox