pkg:Packagist/symfony/symfony

共 87 筆 CVECRITICAL7HIGH20MEDIUM25LOW5

✅ 檢查你的版本

所有已知漏洞

CRITICAL9.8CVE-2017-11365Symfony Incorrect Access Control
>= 2.7.30, < 2.7.32
CRITICAL9.8CVE-2018-11407Symfony Authentication Bypass
>= 2.8.0, < 2.8.37
CRITICAL9.8CVE-2016-2403symfony - security update
>= 2.8.0, < 2.8.6
CRITICAL9.8CVE-2019-11325Improper Input Validation in Symfony
>= 4.2.0, < 4.2.12
CRITICAL9.8CVE-2019-10913Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
>= 2.7.0, < 2.7.51
CRITICAL9.8CVE-2019-18889Symfony Unsafe Cache Serialization Could Enable RCE
>= 3.1.0, < 3.4.35
CRITICAL9.8CVE-2019-10910Symfony Service IDs Allow Injection
>= 2.7.0, < 2.7.51
HIGH8.8CVE-2018-11406Symfony CSRF Token Fixation
>= 2.7.0, < 2.7.48
HIGH8.4CVE-2024-51736Symfony vulnerable to command execution hijack on Windows with Process class
from 0, < 5.4.46
HIGH8.1CVE-2014-6072Symfony Cross-Site Request Forgery vulnerability in the Web Profiler
>= 2.0.0, < 2.3.19
HIGH8.1CVE-2018-11385Symfony Session Fixation Vulnerability
>= 2.7.0, < 2.7.48
HIGH8.1CVE-2013-4751Symfony collectionCascaded and collectionCascadedDeeply fields security bypass
>= 2.0.0, < 2.0.24
HIGH8.1CVE-2019-18887symfony - security update
>= 2.2.0, < 2.8.52
HIGH8.0CVE-2020-15094RCE in Symfony
>= 4.3.0, < 4.4.13
HIGH7.6CVE-2020-5275Firewall configured with unanimous strategy was not actually unanimous in Symfony
>= 4.4.0, < 4.4.7
HIGH7.5CVE-2014-5245Symfony allows direct access of ESI URLs behind a trusted proxy
>= 2.0.0, < 2.3.19
HIGH7.5CVE-2014-5244Symfony vulnerable to denial of service via a malicious HTTP Host header
>= 2.0.0, < 2.3.19
HIGH7.5CVE-2014-4931Code injection in the way Symfony implements translation caching in FrameworkBundle
>= 2.0.0, < 2.3.19
HIGH7.5CVE-2016-1902symfony - security update
>= 2.3.0, < 2.3.37
HIGH7.5CVE-2016-4423Symphony Denial of Service Via Overlong Usernames
>= 2.3.0, < 2.3.41
HIGH7.5CVE-2017-16654Symfony Directory Traversal
>= 2.7.0, < 2.7.38
HIGH7.5CVE-2019-10911Improper authentication in Symfony
>= 2.7.0, < 2.7.51
HIGH7.5CVE-2019-18888Argument injection in a MimeTypeGuesser in Symfony
>= 2.0.0, < 2.8.52
HIGH7.3CVE-2025-64500Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
>= 2.0.0, < 5.4.50
HIGH7.3CVE-2024-50340symfony - security update
>= 5.3.0, < 5.4.46
HIGH7.2CVE-2018-14774Symfony Host Header Injection
>= 2.7.0, < 2.7.49
HIGH7.1CVE-2019-10912Deserialization of untrusted data in Symfony
>= 2.8.0, < 2.8.50
MEDIUM6.8CVE-2021-32693Authentication granted to all firewalls instead of just one
>= 5.3.0, < 5.3.2
MEDIUM6.5CVE-2023-46733Symfony possible session fixation vulnerability
>= 5.4.21, < 5.4.31
MEDIUM6.5CVE-2017-16790Symfony SSRF Vulnerability via Form Component
>= 2.7.0, < 2.7.38
MEDIUM6.5CVE-2018-14773symfony - security update
>= 2.7.0, < 2.7.49
MEDIUM6.5CVE-2021-41270CSV Injection in symfony/serializer
>= 4.1.0, < 4.4.35
MEDIUM6.5CVE-2021-41268Cookie persistence after password changes in symfony/security-bundle
>= 5.3.0, < 5.3.12
MEDIUM6.5CVE-2021-41267Webcache Poisoning in symfony/http-kernel
>= 5.2.0, < 5.3.12
MEDIUM6.3CVE-2026-24739Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
from 0, < 5.4.51
MEDIUM6.3CVE-2022-24895Symfony vulnerable to Session Fixation of CSRF tokens
>= 2.0.0, < 4.4.50
MEDIUM6.1CVE-2023-46735Symfony potential Cross-site Scripting in WebhookController
>= 6.3.0, < 6.3.8
MEDIUM6.1CVE-2023-46734symfony - security update
>= 2.0.0, < 4.4.51
MEDIUM6.1CVE-2017-16652symfony - security update
>= 2.7.0, < 2.7.38
MEDIUM6.1CVE-2018-11408Symfony Open Redirect
>= 2.7.0, < 2.7.48
MEDIUM6.1CVE-2018-19790Symfony Open Redirect
>= 2.7.38, < 2.7.50
MEDIUM6.1CVE-2013-4752Symfony Host Header Injection vulnerability in the HttpFoundation component
>= 2.0.0, < 2.0.24
MEDIUM5.9CVE-2022-24894Symfony storing cookie headers in HttpCache
>= 2.0.0, < 4.4.50
MEDIUM5.9CVE-2018-11386Symfony DoS
>= 2.7.0, < 2.7.48
MEDIUM5.9CVE-2017-16653Symfony CSRF Vulnerability
>= 2.7.0, < 2.7.38
MEDIUM5.4CVE-2019-10909symfony - security update
>= 2.7.0, < 2.7.51
MEDIUM5.3CVE-2015-2309Symfony has unsafe methods in the Request class
>= 2.0.0, < 2.3.27
MEDIUM5.3CVE-2014-6061Symfony has a security issue when parsing the Authorization header
>= 2.0.0, < 2.3.19
MEDIUM5.3CVE-2018-19789Symfony Path Disclosure
>= 2.7.0, < 2.7.50
MEDIUM5.3CVE-2021-21424Prevent user enumeration using Guard or the new Authenticator-based Security
>= 2.8.0, < 3.4.49
MEDIUM5.3CVE-2019-18886symfony - security update
>= 4.1.0, < 4.2.12
MEDIUM4.6CVE-2020-5274Exceptions displayed in non-debug configurations in Symfony
>= 4.4.0, < 4.4.4
LOW3.1CVE-2024-50343symfony - security update
from 0, < 5.4.43
LOW3.1CVE-2024-50342Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
>= 4.3.0, < 5.4.47
LOW3.1CVE-2024-50341Symfony's `Security::login` does not take into account custom `user_checker`
>= 6.2.0, < 6.4.10
LOW3.1CVE-2015-8124symfony - security update
>= 2.3.0, < 2.3.35
LOW2.6CVE-2020-5255Prevent cache poisoning via a Response Content-Type header in Symfony
>= 4.4.0, < 4.4.7
—CVE-2026-45305Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
from 0, < 5.4.52
—CVE-2026-45304Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
from 0, < 5.4.52
—CVE-2026-45133Symfony hardened the parser when handling untrusted input
from 0, < 5.4.52
—CVE-2026-45077Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
from 0, < 5.4.52
—CVE-2026-45075Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
>= 7.4.0, < 7.4.12
—CVE-2026-45074Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
>= 7.1.0, < 7.4.12
—CVE-2026-45073Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
from 0, < 5.4.52
—CVE-2026-45072Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
>= 6.4.24, < 6.4.40
—CVE-2026-45071Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
from 0, < 5.4.52
—CVE-2026-45070Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names
from 0, < 5.4.52
—CVE-2026-45069Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
>= 6.3.0, < 6.4.40
—CVE-2026-45068Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
from 0, < 5.4.52
—CVE-2026-45067Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
from 0, < 5.4.52
—CVE-2026-45066Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
>= 6.1.0, < 6.4.40
—CVE-2026-45064Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
>= 6.1.0, < 6.4.40
—CVE-2026-45065Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
from 0, < 5.4.52
—CVE-2026-45063Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator
from 0, < 5.4.52
—CVE-2026-45756Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
>= 7.3.0, < 7.4.12
—CVE-2026-47212Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
>= 6.4.0, < 6.4.40
—CVE-2026-45753Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
>= 6.1.0, < 6.4.40
—CVE-2026-45755Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection
>= 7.2.0, < 7.4.12
—CVE-2026-45754Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
>= 6.4.0, < 6.4.40
—CVE-2012-6432Symfony Access Control Vulnerability
—CVE-2012-6431Symfony Allows URI Restrictions Bypass Via Double-Encoded String
>= 2.0.0, < 2.0.19
—CVE-2013-5958Symfony Denial of Service Via Long Password Hashing
>= 2.0.0, < 2.0.25
—CVE-2015-2308Symfony Vulnerable to PHP Eval Injection
>= 2.0.0, < 2.3.27
—CVE-2015-8125Symfony Vulnerable to Timing Attack
>= 2.3.0, < 2.3.35
—CVE-2015-4050symfony - security update
>= 2.3.19, < 2.3.29
—CVE-2013-1348Symphony Vulnerable to PHP Code Injection via YAML Parsing
>= 2.0.0, < 2.0.22
—CVE-2013-1397Symfony Arbitrary PHP code Execution
>= 2.2.0-BETA1, < 2.2.0-BETA2