pkg:Debian/symfony

96 total CVEsCRITICAL7HIGH20MEDIUM26LOW8

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2018-11407Symfony Authentication Bypass
    from 0, < 3.4.12+dfsg-1
  • CRITICAL9.8CVE-2016-2403symfony - security update
    from 0, < 2.8.7+dfsg-1.3+deb9u1
  • CRITICAL9.8CVE-2016-2403symfony - security update
    from 0, < 2.8.6+dfsg-1
  • CRITICAL9.8CVE-2019-11325Improper Input Validation in Symfony
    from 0, < 4.3.8+dfsg-1
  • CRITICAL9.8CVE-2019-10913Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
    from 0, < 3.4.22+dfsg-2
  • CRITICAL9.8CVE-2019-18889Symfony Unsafe Cache Serialization Could Enable RCE
    from 0, < 4.3.8+dfsg-1
  • CRITICAL9.8CVE-2019-10910Symfony Service IDs Allow Injection
    from 0, < 3.4.22+dfsg-2
  • HIGH8.8CVE-2018-11406Symfony CSRF Token Fixation
    from 0, < 3.4.12+dfsg-1
  • HIGH8.1CVE-2018-11385Symfony Session Fixation Vulnerability
    from 0, < 3.4.12+dfsg-1
  • HIGH8.1CVE-2019-18887symfony - security update
    from 0, < 4.3.8+dfsg-1
  • HIGH8.1CVE-2019-18887symfony - security update
    from 0, < 2.8.7+dfsg-1.3+deb9u3
  • HIGH8.0CVE-2020-15094RCE in Symfony
    from 0, < 4.4.13+dfsg-1
  • HIGH7.6CVE-2020-5275Firewall configured with unanimous strategy was not actually unanimous in Symfony
    from 0, < 4.4.8-1
  • HIGH7.5CVE-2024-36611In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cas…
    from 0
  • HIGH7.5CVE-2024-51996symfony - security update
    from 0, < 5.4.23+dfsg-1+deb12u4
  • HIGH7.5CVE-2024-51996symfony - security update
    from 0, < 5.4.23+dfsg-1+deb12u4
  • HIGH7.5CVE-2016-4423Symphony Denial of Service Via Overlong Usernames
    from 0, < 2.8.6+dfsg-1
  • HIGH7.5CVE-2016-1902symfony - security update
    from 0, < 2.3.21+dfsg-4+deb8u3
  • HIGH7.5CVE-2016-1902symfony - security update
    from 0, < 2.7.9+dfsg-1
  • HIGH7.5CVE-2017-16654Symfony Directory Traversal
    from 0, < 3.4.0+dfsg-1
  • HIGH7.5CVE-2019-10911Improper authentication in Symfony
    from 0, < 3.4.22+dfsg-2
  • HIGH7.5CVE-2019-18888Argument injection in a MimeTypeGuesser in Symfony
    from 0, < 4.3.8+dfsg-1
  • HIGH7.3CVE-2025-64500Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
    from 0
  • HIGH7.3CVE-2024-50340symfony - security update
    from 0, < 5.4.23+dfsg-1+deb12u3
  • HIGH7.3CVE-2024-50340symfony - security update
    from 0, < 5.4.23+dfsg-1+deb12u3
  • HIGH7.2CVE-2018-14774Symfony Host Header Injection
    from 0, < 3.4.14+dfsg-1
  • HIGH7.1CVE-2019-10912Deserialization of untrusted data in Symfony
    from 0, < 3.4.22+dfsg-2
  • MEDIUM6.5CVE-2023-46733Symfony possible session fixation vulnerability
    from 0, < 5.4.23+dfsg-1+deb12u1
  • MEDIUM6.5CVE-2017-16790Symfony SSRF Vulnerability via Form Component
    from 0, < 3.4.0+dfsg-1
  • MEDIUM6.5CVE-2018-14773symfony - security update
    from 0, < 2.8.7+dfsg-1.3+deb9u2
  • MEDIUM6.5CVE-2018-14773symfony - security update
    from 0, < 3.4.14+dfsg-1
  • MEDIUM6.5CVE-2021-41270CSV Injection in symfony/serializer
    from 0, < 4.4.19+dfsg-2+deb11u1
  • MEDIUM6.3CVE-2022-24895Symfony vulnerable to Session Fixation of CSRF tokens
    from 0, < 4.4.19+dfsg-2+deb11u2
  • MEDIUM6.1CVE-2023-46734symfony - security update
    from 0, < 4.4.19+dfsg-2+deb11u4
  • MEDIUM6.1CVE-2023-46734symfony - security update
    from 0, < 3.4.22+dfsg-2+deb10u3
  • MEDIUM6.1CVE-2017-16652symfony - security update
    from 0, < 3.4.0+dfsg-1
  • MEDIUM6.1CVE-2017-16652symfony - security update
    from 0, < 2.3.21+dfsg-4+deb8u4
  • MEDIUM6.1CVE-2018-11408Symfony Open Redirect
    from 0, < 3.4.12+dfsg-1
  • MEDIUM6.1CVE-2018-19790Symfony Open Redirect
    from 0, < 3.4.20+dfsg-1
  • MEDIUM6.1CVE-2017-18343The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key dur…
    from 0, < 3.4.0+dfsg-1
  • MEDIUM6.1CVE-2018-12040Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitr…
    from 0, < 3.4.12+dfsg-1
  • MEDIUM5.9CVE-2022-24894Symfony storing cookie headers in HttpCache
    from 0, < 4.4.19+dfsg-2+deb11u2
  • MEDIUM5.9CVE-2018-11386Symfony DoS
    from 0, < 3.4.12+dfsg-1
  • MEDIUM5.9CVE-2017-16653Symfony CSRF Vulnerability
    from 0, < 3.4.0+dfsg-1
  • MEDIUM5.4CVE-2019-10909symfony - security update
    from 0, < 2.3.21+dfsg-4+deb8u5
  • MEDIUM5.4CVE-2019-10909symfony - security update
    from 0, < 3.4.22+dfsg-2
  • MEDIUM5.3CVE-2015-2309Symfony has unsafe methods in the Request class
    from 0, < 2.3.21+dfsg-4
  • MEDIUM5.3CVE-2018-19789Symfony Path Disclosure
    from 0, < 3.4.20+dfsg-1
  • MEDIUM5.3CVE-2021-21424Prevent user enumeration using Guard or the new Authenticator-based Security
    from 0, < 4.4.19+dfsg-2
  • MEDIUM5.3CVE-2021-21424Prevent user enumeration using Guard or the new Authenticator-based Security
    from 0, < 3.4.22+dfsg-2+deb10u2
  • MEDIUM5.3CVE-2019-18886symfony - security update
    from 0, < 2.3.21+dfsg-4+deb8u6
  • MEDIUM5.3CVE-2019-18886symfony - security update
    from 0, < 4.3.8+dfsg-1
  • MEDIUM4.6CVE-2020-5274Exceptions displayed in non-debug configurations in Symfony
    from 0, < 4.4.8-1
  • LOW3.1CVE-2024-50345Symfony vulnerable to open redirect via browser-sanitized URLs
    from 0, < 4.4.19+dfsg-2+deb11u7
  • LOW3.1CVE-2024-50343symfony - security update
    from 0, < 4.4.19+dfsg-2+deb11u7
  • LOW3.1CVE-2024-50343symfony - security update
    from 0, < 4.4.19+dfsg-2+deb11u7
  • LOW3.1CVE-2024-50342Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
    from 0, < 5.4.23+dfsg-1+deb12u3
  • LOW3.1CVE-2024-50341Symfony's `Security::login` does not take into account custom `user_checker`
    from 0, < 6.4.10+dfsg-1
  • LOW3.1CVE-2015-8124symfony - security update
    from 0, < 2.3.21+dfsg-4+deb8u2
  • LOW3.1CVE-2015-8124symfony - security update
    from 0, < 2.7.7+dfsg-1
  • LOW2.6CVE-2020-5255Prevent cache poisoning via a Response Content-Type header in Symfony
    from 0, < 4.4.8-1
  • CVE-2026-45305Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
    from 0
  • CVE-2026-45304Symfony's YAML Parser Vulnerable to Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
    from 0
  • CVE-2026-45133Symfony hardened the parser when handling untrusted input
    from 0
  • CVE-2026-45077Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener
    from 0
  • CVE-2026-45075Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
    from 0, < 7.4.12+dfsg-1
  • CVE-2026-45074Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
    from 0, < 7.4.12+dfsg-1
  • CVE-2026-45073Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix
    from 0
  • CVE-2026-45072Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
    from 0
  • CVE-2026-45071Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
    from 0
  • CVE-2026-45070Symfony has Email Header Injection via Non-Token Characters in Mime Parameter Names
    from 0
  • CVE-2026-45069Symfony's OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
    from 0
  • CVE-2026-45068Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
    from 0
  • CVE-2026-45067Symfony has Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
    from 0
  • CVE-2026-45066Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
    from 0
  • CVE-2026-45064Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
    from 0
  • CVE-2026-48784(no summary)
    from 0
  • CVE-2026-48760(no summary)
    from 0
  • CVE-2026-48747(no summary)
    from 0
  • CVE-2026-48761(no summary)
    from 0
  • CVE-2026-48736(no summary)
    from 0
  • CVE-2026-48489(no summary)
    from 0
  • CVE-2026-45065Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
    from 0
  • CVE-2026-45063Symfony Vulnerable to Identity Spoofing via Unanchored DN Regex in X509Authenticator
    from 0
  • CVE-2026-45756Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS
    from 0, < 7.4.12+dfsg-1
  • CVE-2026-47212Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification
    from 0
  • CVE-2026-45753Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)
    from 0
  • CVE-2026-45755Symfony's Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection
    from 0, < 7.4.12+dfsg-1
  • CVE-2026-46626(no summary)
    from 0
  • CVE-2026-45754Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
    from 0
  • CVE-2015-2308Symfony Vulnerable to PHP Eval Injection
    from 0, < 2.3.21+dfsg-4
  • CVE-2015-8125Symfony Vulnerable to Timing Attack
    from 0, < 2.7.7+dfsg-1
  • CVE-2015-4050symfony - security update
    from 0, < 2.3.21+dfsg-4+deb8u1
  • CVE-2015-4050symfony - security update
    from 0, < 2.7.0~beta2+dfsg-2
  • CVE-2008-7220Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests…
    from 0, < 1.0.21-1.1
  • CVE-2007-2383asterisk - several vulnerabilities
    from 0, < 1.0.21-1.1