VYPR

Vendor CVEs

Sensiolabs

All CVEs

56 total · sorted by risk
  • CVE-2016-2403CriFeb 7, 2017
    risk 0.64cvss 9.8epss 0.03

    Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

  • CVE-2026-24425HigMay 20, 2026
    risk 0.50cvss 8.8epss 0.01

    Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the…

  • CVE-2016-4423HigJun 1, 2016
    risk 0.49cvss 7.5epss 0.02

    The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which…

  • CVE-2001-1537HigDec 31, 2001
    risk 0.49cvss 7.5epss 0.01

    The default "basic" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in cookies, which could allow attackers to obtain authentication information and gain privileges.

  • CVE-2024-50340HigNov 6, 2024
    risk 0.46cvss 7.3epss 0.63

    symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the…

  • CVE-2024-36611HigNov 29, 2024
    risk 0.42cvss 7.5epss 0.01

    In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper…

  • CVE-2024-51996HigNov 13, 2024
    risk 0.42cvss 7.5epss 0.01

    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to…

  • CVE-2016-1902HigJun 1, 2016
    risk 0.42cvss 7.5epss 0.02

    The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails,…

  • CVE-2018-12040MedJun 13, 2018
    risk 0.40cvss 6.1epss 0.01

    Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web…

  • CVE-2026-55878higJun 19, 2026
    risk 0.38cvss epss

    ### Description The `ux:install` console command installs files from a recipe kit by copying paths listed in a `copy-files` map. The only guard against malicious paths was `Path::isRelative()`, which returns `true` for paths like `../../../etc`. `Path::join()` then resolves the…

  • CVE-2024-6552MedAug 8, 2024
    risk 0.34cvss 5.3epss 0.00

    The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible…

  • CVE-2025-47946MedMay 19, 2025
    risk 0.33cvss 6.1epss 0.00

    Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute…

  • CVE-2024-50343LowNov 6, 2024
    risk 0.13cvss 3.1epss 0.00

    symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11,…

  • CVE-2024-50341LowNov 6, 2024
    risk 0.13cvss 3.1epss 0.00

    symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the…

  • CVE-2015-4050Jun 2, 2015
    risk 0.01cvss epss 0.08

    FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL…

  • CVE-2026-55877Jun 19, 2026
    risk 0.00cvss epss

    ### Description The `ux_icon()` Twig function is marked `is_safe=['html']`, so Twig never escapes its output. `Icon::toHtml()` inlines the SVG source verbatim into the page. Browsers execute `` elements and `on*` event-handler attributes found inside inline SVG, making…

  • CVE-2026-49216Jun 19, 2026
    risk 0.00cvss epss

    ### Description The Stimulus controller shipped with `symfony/ux-autocomplete` renders AJAX response items into the dropdown by interpolating the `text` field directly into HTML template literals (`${item[labelField]}`) inside `_createAutocompleteWithRemoteData()`.…

  • CVE-2026-49215lowJun 19, 2026
    risk 0.00cvss epss

    ### Description When using `symfony/ux-live-component`, methods annotated with `#[LiveAction]` are invokable from the browser and mutate server-side state via AJAX. `Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest()` gated these…

  • CVE-2026-49212lowJun 19, 2026
    risk 0.00cvss epss

    ### Description In `symfony/ux-live-component`, a component's server-side state is exposed to the browser as a set of props (`#[LiveProp]`-annotated properties). Props marked `writable: true` can be freely changed by the client. Read-only props are round-tripped to the browser…

  • CVE-2026-49211Jun 19, 2026
    risk 0.00cvss epss

    ### Description `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` builds the `LIKE` expression used by the autocomplete endpoint by wrapping the client-supplied query in `%...%` without escaping the SQL `LIKE` wildcards (`%`, `_`, `\`). The value is passed…

  • CVE-2026-49210Jun 19, 2026
    risk 0.00cvss epss

    ### Description `Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml()` interpolates the `$childTag` argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (`children[id].tag`)…

  • CVE-2026-49209lowJun 19, 2026
    risk 0.00cvss epss

    ### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never…

  • CVE-2026-49208Jun 19, 2026
    risk 0.00cvss epss

    ### Description When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()` falls back to `new $className($value)`. The `DateTime` / `DateTimeImmutable` constructors accept…

  • CVE-2026-47767Jun 9, 2026
    risk 0.00cvss epss 0.00

    ### Description CVE-2024-50340 (GHSA-x8vp-gf4q-mw5j) addressed an issue where, with `register_argc_argv=On`, a crafted query string let an unauthenticated GET change the kernel environment and debug flag by feeding `--env`/`--no-debug` through `$_SERVER['argv']`. The fix…

  • CVE-2026-24739Jan 28, 2026
    risk 0.00cvss epss 0.00

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping…

  • CVE-2025-64500Nov 12, 2025
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the…

  • CVE-2024-50342Nov 6, 2024
    risk 0.00cvss epss 0.00

    symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to…

  • CVE-2024-50345Nov 6, 2024
    risk 0.00cvss epss 0.01

    symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying…

  • CVE-2024-51736Nov 6, 2024
    risk 0.00cvss epss 0.00

    Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments,…

  • CVE-2023-46735Nov 10, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now…

  • CVE-2023-46734Nov 10, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their…

  • CVE-2023-46733Nov 10, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in…

  • CVE-2022-24894Feb 3, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the…

  • CVE-2022-24895Feb 3, 2023
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login,…

  • CVE-2022-23601Feb 1, 2022
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the…

  • CVE-2021-41270Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection,…

  • CVE-2021-41267Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In…

  • CVE-2021-41268Nov 24, 2021
    risk 0.00cvss epss 0.01

    Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password.…

  • CVE-2021-32693Jun 17, 2021
    risk 0.00cvss epss 0.01

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token…

  • CVE-2021-21424May 13, 2021
    risk 0.00cvss epss 0.02

    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch…

  • CVE-2020-15094Sep 2, 2020
    risk 0.00cvss epss 0.03

    In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The…

  • CVE-2020-5275Mar 30, 2020
    risk 0.00cvss epss 0.01

    In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that…

  • CVE-2020-5274Mar 30, 2020
    risk 0.00cvss epss 0.01

    In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the…

  • CVE-2020-5255Mar 30, 2020
    risk 0.00cvss epss 0.01

    In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and…

  • CVE-2017-18343MedJul 20, 2018
    risk 0.00cvss 6.1epss 0.06

    The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that…

  • CVE-2015-8125Dec 7, 2015
    risk 0.00cvss epss 0.03

    Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2)…

  • CVE-2015-8124Dec 7, 2015
    risk 0.00cvss epss 0.03

    Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 allows remote attackers to hijack web sessions via a session id.

  • CVE-2015-7809Nov 6, 2015
    risk 0.00cvss epss 0.03

    The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

  • CVE-2015-2308Jun 24, 2015
    risk 0.00cvss epss 0.01

    Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element.

  • CVE-2013-5958Dec 27, 2014
    risk 0.00cvss epss 0.02

    The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a…

Page 1 of 2