CVE-2026-24739

< 5.4.51

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33

6.3MEDIUM

CVE-2025-68129

>= 5.0.0 and < 5.6.0

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience va

6.8MEDIUM

CVE-2025-64500

>= 2.0.0 and < 5.4.50

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation compone

7.3HIGH

CVE-2024-51736

< 5.4.46

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executab

NONE

CVE-2024-50345

< 5.4.46

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specificati

3.1LOW

CVE-2024-45411

>= 1.0.0 and < 1.44.8

Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contribut

8.5HIGH

CVE-2023-46735

>= 6.0.0 and < 6.3.8

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and pr

6.1MEDIUM

CVE-2023-46734

>= 2.0.0 and < 4.4.51

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.

6.1MEDIUM

CVE-2023-46733

>= 5.4.21 and < 5.4.31

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and

6.5MEDIUM

CVE-2023-41336

< 2.11.2

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfull

6.5MEDIUM

CVE-2022-24895

>= 2.0.0 and < 4.4.50

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfon

6.3MEDIUM

CVE-2022-24894

>= 2.0.0 and < 4.4.50

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, a

5.9MEDIUM

CVE-2022-39261

>= 1.0.0 and < 1.44.7

Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue

7.5HIGH

CVE-2022-23614

>= 2.0.0 and < 2.14.11

Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a clo

8.8HIGH

CVE-2022-23601

< 5.3.15

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provi

8.1HIGH

CVE-2021-41270

>= 4.1.0 and < 4.4.35

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applicat

6.5MEDIUM

CVE-2021-41268

>= 5.3.0 and < 5.3.12

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable

6.5MEDIUM

CVE-2021-41267

>= 5.2.0 and < 5.3.12

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusab

6.5MEDIUM

CVE-2021-32693

>= 5.3.0 and < 5.3.2

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firew

6.8MEDIUM

CVE-2021-21424

>= 2.8.0 and < 3.4.48

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users w

5.3MEDIUM

CVE-2020-15094

>= 4.4.0 and < 4.4.13

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpC

8.0HIGH

CVE-2020-5275

>= 4.4.0 and < 4.4.7

In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule

7.6HIGH

CVE-2020-5274

>= 4.4.0 and < 4.4.4

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the ErrorHandler ren

4.6MEDIUM

CVE-2020-5255

>= 4.4.0 and < 4.4.7

In Symfony before versions 4.4.7 and 5.0.7, when a Response does not contain a Content-Type header, affected versions of Symfo

2.6LOW

CVE-2013-4752

>= 2.0.0 and < 2.0.24

Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation c

6.1MEDIUM

CVE-2019-18889

>= 3.4.0 and <= 3.4.34

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache

9.8CRITICAL

CVE-2019-18888

>= 2.8.0 and <= 2.8.50

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If a

7.5HIGH

CVE-2019-18887

>= 2.8.0 and <= 2.8.50

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The

8.1HIGH

CVE-2019-11325

>= 4.2.0 and < 4.2.12

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allo

9.8CRITICAL

CVE-2019-18886

>= 4.2.0 and <= 4.2.11

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to differen

5.3MEDIUM

CVE-2013-4751

>= 2.0.0 and < 2.0.24

php-symfony2-Validator has loss of information during serialization

8.1HIGH

CVE-2017-11365

all versions

Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2

9.8CRITICAL

CVE-2019-10913

>= 2.7.0 and < 2.7.51

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided

9.8CRITICAL

CVE-2019-10912

>= 2.8.0 and < 2.8.50

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may c

7.1HIGH

CVE-2019-10911

>= 2.7.0 and < 2.7.51

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would

7.5HIGH

CVE-2019-10910

>= 2.7.0 and < 2.7.51

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allo

9.8CRITICAL

CVE-2019-10909

>= 2.7.0 and < 2.7.51

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages a

5.4MEDIUM

CVE-2019-9942

< 1.38.0

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possib

3.7LOW

CVE-2018-19790

>= 2.7.0 and < 2.7.50

An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x

6.1MEDIUM

CVE-2018-19789

>= 2.7.0 and < 2.7.50

An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before

5.3MEDIUM

CVE-2017-16790

>= 2.7.0 and <= 2.7.37

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by th

6.5MEDIUM

CVE-2017-16654

>= 2.7.0 and <= 2.7.37

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes va

7.5HIGH

CVE-2017-16653

>= 2.7.0 and <= 2.7.37

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of

5.9MEDIUM

CVE-2018-14774

>= 2.7.0 and <= 2.7.48

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3

7.2HIGH

CVE-2018-14773

> 2.7.0 and <= 2.7.48

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 thro

6.5MEDIUM

CVE-2017-18343

< 2.7.33

The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an arra

6.1MEDIUM

CVE-2018-13818

< 2.4.4

Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out th

9.8CRITICAL

CVE-2018-12040

all versions

Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inje

6.1MEDIUM

CVE-2018-11408

>= 2.7.0 and < 2.7.48

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x

6.1MEDIUM

CVE-2018-11407

>= 2.8.0 and < 2.8.37

An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x b

9.8CRITICAL

CVE-2018-11406

>= 2.7.0 and < 2.7.48

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x

8.8HIGH

CVE-2018-11386

>= 2.7.0 and < 2.7.48

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17,

5.9MEDIUM

CVE-2018-11385

>= 2.7.0 and < 2.7.48

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x

8.1HIGH

CVE-2017-16652

> 2.7.0 and < 2.7.38

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. Default

6.1MEDIUM

CVE-2016-2403

all versions

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password an

9.8CRITICAL

CVE-2016-4423

<= 2.3.40

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony b

7.5HIGH

CVE-2016-1902

<= 2.3.36

The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not pr

7.5HIGH

CVE-2015-8125

all versions

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact v

CVE-2015-8124

all versions

Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x b

CVE-2015-7809

<= 1.19.0

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to

CVE-2015-2308

all versions

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and

CVE-2015-4050

all versions

FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6

CVE-2013-5958

all versions

The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remo

CVE-2013-1397

all versions

Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP obj

CVE-2013-1348

all versions

The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different

CVE-2012-6432

all versions

Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote att

CVE-2012-6431

all versions

Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allow

CVE-2012-5574

<= 1.4.19

lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload reques

CVE-2012-2667

<= 1.4.17

Session fixation vulnerability in lib/user/sfBasicSecurityUser.class.php in SensioLabs Symfony before 1.4.18 allows remote attacke

CVE-2001-1537

<= 2.7.4

The default "basic" security setting' in config.php for TWIG webmail 2.7.4 and earlier stores cleartext usernames and passwords in

7.5HIGH