—CVE-2026-48784Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
from 0, < 5.4.53
—CVE-2026-45065Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
from 0, < 5.4.52
—CVE-2012-6431Symfony Allows URI Restrictions Bypass Via Double-Encoded String