Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/150800?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/150800?format=api", "purl": "pkg:composer/symfony/http-foundation@2.4.7", "type": "composer", "namespace": "symfony", "name": "http-foundation", "version": "2.4.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.4.50", "latest_non_vulnerable_version": "7.3.7", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9451?format=api", "vulnerability_id": "VCID-2hua-7wbd-tqbx", "summary": "Insufficient Session Expiration\nThe `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11386", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77843", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77939", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77901", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77917", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77891", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77886", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77859", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77877", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01086", "scoring_system": "epss", "scoring_elements": "0.77849", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11386" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2403" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16652" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16654" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16790" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11385" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11386" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11406" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml" }, { "reference_url": "https://github.com/symfony/symfony", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11386", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:M/Au:N/C:N/I:N/A:P" }, { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11386" }, { "reference_url": "https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler" }, { "reference_url": "https://www.debian.org/security/2018/dsa-4262", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2018/dsa-4262" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" }, { "reference_url": "https://symfony.com/cve-2018-11386", "reference_id": "CVE-2018-11386", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2018-11386" }, { "reference_url": "https://github.com/advisories/GHSA-r2rq-3h56-fqm4", "reference_id": "GHSA-r2rq-3h56-fqm4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2rq-3h56-fqm4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84046?format=api", "purl": "pkg:composer/symfony/http-foundation@2.7.48", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.7.48" }, { "url": "http://public2.vulnerablecode.io/api/packages/29051?format=api", "purl": "pkg:composer/symfony/http-foundation@2.8.41", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.8.41" }, { "url": "http://public2.vulnerablecode.io/api/packages/84047?format=api", "purl": "pkg:composer/symfony/http-foundation@3.3.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.3.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/29052?format=api", "purl": "pkg:composer/symfony/http-foundation@3.4.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.4.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/29053?format=api", "purl": "pkg:composer/symfony/http-foundation@4.0.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.11" } ], "aliases": [ "CVE-2018-11386", "GHSA-r2rq-3h56-fqm4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2hua-7wbd-tqbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7001?format=api", "vulnerability_id": "VCID-6cea-up73-y3hn", "summary": "Improper Authorization\nSecurity issue when parsing the Authorization header.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2014-6061.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2014-6061.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-6061.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-6061.yaml" }, { "reference_url": "https://github.com/symfony/symfony/commit/3b4046e89467dc1fb5e079e377c2cfd4c239f904", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/3b4046e89467dc1fb5e079e377c2cfd4c239f904" }, { "reference_url": "https://github.com/symfony/symfony/pull/11829", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/pull/11829" }, { "reference_url": "https://symfony.com/cve-2014-6061", "reference_id": "CVE-2014-6061", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2014-6061" }, { "reference_url": "https://github.com/advisories/GHSA-h7v2-2qwg-h829", "reference_id": "GHSA-h7v2-2qwg-h829", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h7v2-2qwg-h829" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20782?format=api", "purl": "pkg:composer/symfony/http-foundation@2.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.4.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/150802?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.0-BETA1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.0-BETA1" }, { "url": "http://public2.vulnerablecode.io/api/packages/20783?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/21072?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.11" } ], "aliases": [ "CVE-2014-6061", "GHSA-h7v2-2qwg-h829" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6cea-up73-y3hn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/17179?format=api", "vulnerability_id": "VCID-9bzz-84cq-ykh2", "summary": "Symfony vulnerable to open redirect via browser-sanitized URLs\n### Description\n\nThe `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain.\n\n### Resolution\n\nThe `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4.\n\n### Credits\n\nWe would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50345", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60271", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60359", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60318", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60337", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60351", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.6033", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60316", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60266", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00394", "scoring_system": "epss", "scoring_elements": "0.60297", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50345" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml" }, { "reference_url": "https://github.com/symfony/symfony", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony" }, { "reference_url": "https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819" }, { "reference_url": "https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/" } ], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50345", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50345" }, { "reference_url": "https://symfony.com/cve-2024-50345", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2024-50345" }, { "reference_url": "https://url.spec.whatwg.org", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/" } ], "url": "https://url.spec.whatwg.org" }, { "reference_url": "https://github.com/advisories/GHSA-mrqx-rp3w-jpjp", "reference_id": "GHSA-mrqx-rp3w-jpjp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mrqx-rp3w-jpjp" }, { "reference_url": "https://usn.ubuntu.com/7272-1/", "reference_id": "USN-7272-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7272-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56922?format=api", "purl": "pkg:composer/symfony/http-foundation@5.4.46", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@5.4.46" }, { "url": "http://public2.vulnerablecode.io/api/packages/56924?format=api", "purl": "pkg:composer/symfony/http-foundation@6.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@6.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/56931?format=api", "purl": "pkg:composer/symfony/http-foundation@7.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@7.1.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/723522?format=api", "purl": "pkg:composer/symfony/http-foundation@7.2.0-BETA1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@7.2.0-BETA1" } ], "aliases": [ "CVE-2024-50345", "GHSA-mrqx-rp3w-jpjp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9bzz-84cq-ykh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9718?format=api", "vulnerability_id": "VCID-bhfu-7788-fbhc", "summary": "URL Rewrite vulnerability\nAn issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-14773", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94921", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94938", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.9493", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94928", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94926", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94895", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94904", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94906", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94908", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.16652", "scoring_system": "epss", "scoring_elements": "0.94917", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-14773" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19789", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19789" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19790", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19790" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10909" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10910", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10910" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml" }, { "reference_url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14773", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14773" }, { "reference_url": "https://seclists.org/bugtraq/2019/May/21", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://seclists.org/bugtraq/2019/May/21" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4441", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2019/dsa-4441" }, { "reference_url": "https://www.drupal.org/SA-CORE-2018-005", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.drupal.org/SA-CORE-2018-005" }, { "reference_url": "http://www.securityfocus.com/bid/104943", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/104943" }, { "reference_url": "http://www.securitytracker.com/id/1041405", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securitytracker.com/id/1041405" }, { "reference_url": "https://security.archlinux.org/AVG-744", "reference_id": "AVG-744", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-744" }, { "reference_url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers", "reference_id": "CVE-2018-14773-REMOVE-SUPPORT-FOR-LEGACY-AND-RISKY-HTTP-HEADERS", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers" }, { "reference_url": "https://github.com/advisories/GHSA-8wgj-6wx8-h5hq", "reference_id": "GHSA-8wgj-6wx8-h5hq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8wgj-6wx8-h5hq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83794?format=api", "purl": "pkg:composer/symfony/http-foundation@2.7.49", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.7.49" }, { "url": "http://public2.vulnerablecode.io/api/packages/29859?format=api", "purl": "pkg:composer/symfony/http-foundation@2.8.44", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.8.44" }, { "url": "http://public2.vulnerablecode.io/api/packages/83795?format=api", "purl": "pkg:composer/symfony/http-foundation@3.3.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.3.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/29860?format=api", "purl": "pkg:composer/symfony/http-foundation@3.4.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.4.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/29861?format=api", "purl": "pkg:composer/symfony/http-foundation@4.0.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/29862?format=api", "purl": "pkg:composer/symfony/http-foundation@4.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3uu1-kftu-nbhd" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.1.3" } ], "aliases": [ "CVE-2018-14773", "GHSA-8wgj-6wx8-h5hq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bhfu-7788-fbhc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50580?format=api", "vulnerability_id": "VCID-jdsd-3vnz-uygn", "summary": "Argument injection in a MimeTypeGuesser in Symfony\nAn issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84766", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84787", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84693", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84708", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84728", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84729", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84751", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84758", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84776", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0231", "scoring_system": "epss", "scoring_elements": "0.84772", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18888" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18887", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18887" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18888", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18888" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml" }, { "reference_url": "https://github.com/symfony/symfony/releases/tag/v4.3.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18888", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:N/C:N/I:P/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18888" }, { "reference_url": "https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser" }, { "reference_url": "https://symfony.com/blog/symfony-4-3-8-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/symfony-4-3-8-released" }, { "reference_url": "https://symfony.com/cve-2019-18888", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2019-18888" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*" }, { "reference_url": "https://github.com/advisories/GHSA-xhh6-956q-4q69", "reference_id": "GHSA-xhh6-956q-4q69", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xhh6-956q-4q69" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78861?format=api", "purl": "pkg:composer/symfony/http-foundation@2.8.52", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.8.52" }, { "url": "http://public2.vulnerablecode.io/api/packages/78862?format=api", "purl": "pkg:composer/symfony/http-foundation@3.4.35", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.4.35" }, { "url": "http://public2.vulnerablecode.io/api/packages/78863?format=api", "purl": "pkg:composer/symfony/http-foundation@4.2.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.2.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/78864?format=api", "purl": "pkg:composer/symfony/http-foundation@4.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-e71e-d4tr-wqgz" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.3.8" } ], "aliases": [ "CVE-2019-18888", "GHSA-xhh6-956q-4q69" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jdsd-3vnz-uygn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22277?format=api", "vulnerability_id": "VCID-p1dw-w76f-gbfv", "summary": "Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass\nThe `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64500", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.14662", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01842", "scoring_system": "epss", "scoring_elements": "0.82999", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0197", "scoring_system": "epss", "scoring_elements": "0.83544", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0197", "scoring_system": "epss", "scoring_elements": "0.83538", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.02482", "scoring_system": "epss", "scoring_elements": "0.85295", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.03928", "scoring_system": "epss", "scoring_elements": "0.88321", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.03928", "scoring_system": "epss", "scoring_elements": "0.88316", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.03928", "scoring_system": "epss", "scoring_elements": "0.88296", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.03928", "scoring_system": "epss", "scoring_elements": "0.88291", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-64500" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500" }, { "reference_url": "https://github.com/symfony/symfony", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony" }, { "reference_url": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/" } ], "url": "https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64500", "reference_id": "CVE-2025-64500", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64500" }, { "reference_url": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass", "reference_id": "CVE-2025-64500-INCORRECT-PARSING-OF-PATH-INFO-CAN-LEAD-TO-LIMITED-AUTHORIZATION-BYPASS", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/" } ], "url": "https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml", "reference_id": "CVE-2025-64500.YAML", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml", "reference_id": "CVE-2025-64500.YAML", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-3rg7-wf37-54rm", "reference_id": "GHSA-3rg7-wf37-54rm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3rg7-wf37-54rm" }, { "reference_url": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm", "reference_id": "GHSA-3rg7-wf37-54rm", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/" } ], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64870?format=api", "purl": "pkg:composer/symfony/http-foundation@5.4.50", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@5.4.50" }, { "url": "http://public2.vulnerablecode.io/api/packages/64871?format=api", "purl": "pkg:composer/symfony/http-foundation@6.4.29", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@6.4.29" }, { "url": "http://public2.vulnerablecode.io/api/packages/64872?format=api", "purl": "pkg:composer/symfony/http-foundation@7.3.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@7.3.7" } ], "aliases": [ "CVE-2025-64500", "GHSA-3rg7-wf37-54rm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p1dw-w76f-gbfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7002?format=api", "vulnerability_id": "VCID-qty4-cyfa-rugw", "summary": "Uncontrolled Resource Consumption\nDenial of service with a malicious HTTP Host header.", "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2014-5244.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2014-5244.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-5244.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-5244.yaml" }, { "reference_url": "https://github.com/symfony/symfony/commit/1ee96a8b1b0987ffe2a62dca7ad268bf9edfa9b8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/1ee96a8b1b0987ffe2a62dca7ad268bf9edfa9b8" }, { "reference_url": "https://github.com/symfony/symfony/pull/11828", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/pull/11828" }, { "reference_url": "https://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header" }, { "reference_url": "https://symfony.com/cve-2014-5244", "reference_id": "CVE-2014-5244", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2014-5244" }, { "reference_url": "https://github.com/advisories/GHSA-v77v-x634-9m56", "reference_id": "GHSA-v77v-x634-9m56", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v77v-x634-9m56" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20782?format=api", "purl": "pkg:composer/symfony/http-foundation@2.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.4.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/150802?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.0-BETA1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.0-BETA1" }, { "url": "http://public2.vulnerablecode.io/api/packages/20783?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/21072?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.11" } ], "aliases": [ "CVE-2014-5244", "GHSA-v77v-x634-9m56" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qty4-cyfa-rugw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7096?format=api", "vulnerability_id": "VCID-wwhm-mrr3-v7h3", "summary": "Unsafe methods in the Request class\nThe `Symfony\\Component\\HttpFoundation\\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a \"non-trusted\" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`.", "references": [ { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2309", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2309" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2015-2309.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2015-2309.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2309.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2309.yaml" }, { "reference_url": "https://github.com/symfony/symfony/commit/6c73f0ce9302a0091bbfbb96f317e400ce16ef84", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/6c73f0ce9302a0091bbfbb96f317e400ce16ef84" }, { "reference_url": "https://github.com/symfony/symfony/pull/14166", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/pull/14166" }, { "reference_url": "https://symfony.com/cve-2015-2309", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2015-2309" }, { "reference_url": "http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class", "reference_id": "CVE-2015-2309-UNSAFE-METHODS-IN-THE-REQUEST-CLASS", "reference_type": "", "scores": [], "url": "http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class" }, { "reference_url": "https://github.com/advisories/GHSA-p684-f7fh-jv2j", "reference_id": "GHSA-p684-f7fh-jv2j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p684-f7fh-jv2j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21072?format=api", "purl": "pkg:composer/symfony/http-foundation@2.5.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/21073?format=api", "purl": "pkg:composer/symfony/http-foundation@2.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.6.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/152131?format=api", "purl": "pkg:composer/symfony/http-foundation@2.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.6.8" } ], "aliases": [ "CVE-2015-2309", "GHSA-p684-f7fh-jv2j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wwhm-mrr3-v7h3" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.4.7" }