Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/symfony@4.4.24
Typecomposer
Namespacesymfony
Namesymfony
Version4.4.24
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.4.51
Latest_non_vulnerable_version8.0.5
Affected_by_vulnerabilities
0
url VCID-4num-z8cg-83gt
vulnerability_id VCID-4num-z8cg-83gt
summary 
Symfony vulnerable to command execution hijack on Windows with Process class
### Description

On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking.

### Resolution

The `Process` class now uses the absolute path to `cmd.exe`.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4.

### Credits

We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51736
reference_id
reference_type
scores
0
value 0.00783
scoring_system epss
scoring_elements 0.7372
published_at 2026-04-04T12:55:00Z
1
value 0.00783
scoring_system epss
scoring_elements 0.73735
published_at 2026-04-13T12:55:00Z
2
value 0.00783
scoring_system epss
scoring_elements 0.73744
published_at 2026-04-12T12:55:00Z
3
value 0.00783
scoring_system epss
scoring_elements 0.73761
published_at 2026-04-11T12:55:00Z
4
value 0.00783
scoring_system epss
scoring_elements 0.7374
published_at 2026-04-09T12:55:00Z
5
value 0.00783
scoring_system epss
scoring_elements 0.73727
published_at 2026-04-08T12:55:00Z
6
value 0.00783
scoring_system epss
scoring_elements 0.73692
published_at 2026-04-07T12:55:00Z
7
value 0.00783
scoring_system epss
scoring_elements 0.73696
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51736
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9
5
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q
reference_id
reference_type
scores
0
value 0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-21T23:20:34Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51736
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51736
7
reference_url https://symfony.com/cve-2024-51736
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-51736
8
reference_url https://github.com/advisories/GHSA-qq5c-677p-737q
reference_id GHSA-qq5c-677p-737q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qq5c-677p-737q
fixed_packages
0
url pkg:composer/symfony/symfony@5.4.46
purl pkg:composer/symfony/symfony@5.4.46
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.46
1
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
2
url pkg:composer/symfony/symfony@6.4.14
purl pkg:composer/symfony/symfony@6.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.14
3
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
4
url pkg:composer/symfony/symfony@7.1.7
purl pkg:composer/symfony/symfony@7.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.7
5
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-51736, GHSA-qq5c-677p-737q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4num-z8cg-83gt
1
url VCID-8kq8-2mv9-s3ad
vulnerability_id VCID-8kq8-2mv9-s3ad
summary 
Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
### Description

When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

### Resolution

The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4.

The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also.

### Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50342
reference_id
reference_type
scores
0
value 0.00361
scoring_system epss
scoring_elements 0.5823
published_at 2026-04-04T12:55:00Z
1
value 0.00361
scoring_system epss
scoring_elements 0.58205
published_at 2026-04-07T12:55:00Z
2
value 0.00361
scoring_system epss
scoring_elements 0.5821
published_at 2026-04-02T12:55:00Z
3
value 0.00361
scoring_system epss
scoring_elements 0.58257
published_at 2026-04-12T12:55:00Z
4
value 0.00361
scoring_system epss
scoring_elements 0.58281
published_at 2026-04-11T12:55:00Z
5
value 0.00361
scoring_system epss
scoring_elements 0.58264
published_at 2026-04-09T12:55:00Z
6
value 0.00361
scoring_system epss
scoring_elements 0.58259
published_at 2026-04-08T12:55:00Z
7
value 0.00502
scoring_system epss
scoring_elements 0.6603
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50342
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:26:26Z/
url https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b
5
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:26:26Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50342
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50342
7
reference_url https://symfony.com/cve-2024-50342
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50342
8
reference_url https://github.com/advisories/GHSA-9c3x-r3wp-mgxm
reference_id GHSA-9c3x-r3wp-mgxm
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9c3x-r3wp-mgxm
9
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@5.4.47
purl pkg:composer/symfony/symfony@5.4.47
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.47
1
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
2
url pkg:composer/symfony/symfony@6.4.15
purl pkg:composer/symfony/symfony@6.4.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.15
3
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
4
url pkg:composer/symfony/symfony@7.1.8
purl pkg:composer/symfony/symfony@7.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.8
5
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-50342, GHSA-9c3x-r3wp-mgxm
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8kq8-2mv9-s3ad
2
url VCID-9bzz-84cq-ykh2
vulnerability_id VCID-9bzz-84cq-ykh2
summary 
Symfony vulnerable to open redirect via browser-sanitized URLs
### Description

The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain.

### Resolution

The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4.

### Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50345
reference_id
reference_type
scores
0
value 0.00394
scoring_system epss
scoring_elements 0.60271
published_at 2026-04-02T12:55:00Z
1
value 0.00394
scoring_system epss
scoring_elements 0.60318
published_at 2026-04-13T12:55:00Z
2
value 0.00394
scoring_system epss
scoring_elements 0.60337
published_at 2026-04-12T12:55:00Z
3
value 0.00394
scoring_system epss
scoring_elements 0.60351
published_at 2026-04-11T12:55:00Z
4
value 0.00394
scoring_system epss
scoring_elements 0.6033
published_at 2026-04-09T12:55:00Z
5
value 0.00394
scoring_system epss
scoring_elements 0.60316
published_at 2026-04-08T12:55:00Z
6
value 0.00394
scoring_system epss
scoring_elements 0.60266
published_at 2026-04-07T12:55:00Z
7
value 0.00394
scoring_system epss
scoring_elements 0.60297
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50345
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
4
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
5
reference_url https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
6
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
7
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50345
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50345
9
reference_url https://symfony.com/cve-2024-50345
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50345
10
reference_url https://url.spec.whatwg.org
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/
url https://url.spec.whatwg.org
11
reference_url https://github.com/advisories/GHSA-mrqx-rp3w-jpjp
reference_id GHSA-mrqx-rp3w-jpjp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mrqx-rp3w-jpjp
12
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@5.4.46
purl pkg:composer/symfony/symfony@5.4.46
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.46
1
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
2
url pkg:composer/symfony/symfony@6.4.14
purl pkg:composer/symfony/symfony@6.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.14
3
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
4
url pkg:composer/symfony/symfony@7.1.7
purl pkg:composer/symfony/symfony@7.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.7
5
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-50345, GHSA-mrqx-rp3w-jpjp
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9bzz-84cq-ykh2
3
url VCID-bdhj-np35-sybt
vulnerability_id VCID-bdhj-np35-sybt
summary 
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46734
reference_id
reference_type
scores
0
value 0.02089
scoring_system epss
scoring_elements 0.83982
published_at 2026-04-04T12:55:00Z
1
value 0.02089
scoring_system epss
scoring_elements 0.83967
published_at 2026-04-02T12:55:00Z
2
value 0.02089
scoring_system epss
scoring_elements 0.84021
published_at 2026-04-13T12:55:00Z
3
value 0.02089
scoring_system epss
scoring_elements 0.84025
published_at 2026-04-12T12:55:00Z
4
value 0.02089
scoring_system epss
scoring_elements 0.84032
published_at 2026-04-11T12:55:00Z
5
value 0.02089
scoring_system epss
scoring_elements 0.84016
published_at 2026-04-09T12:55:00Z
6
value 0.02089
scoring_system epss
scoring_elements 0.8401
published_at 2026-04-08T12:55:00Z
7
value 0.02089
scoring_system epss
scoring_elements 0.83986
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46734
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46734
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46734
2
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
3
reference_url https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
4
reference_url https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
5
reference_url https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
reference_id 1055774
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46734
reference_id CVE-2023-46734
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46734
8
reference_url https://symfony.com/cve-2023-46734
reference_id CVE-2023-46734
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2023-46734
9
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml
reference_id CVE-2023-46734.YAML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml
10
reference_url https://github.com/advisories/GHSA-q847-2q57-wmr3
reference_id GHSA-q847-2q57-wmr3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q847-2q57-wmr3
11
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
reference_id GHSA-q847-2q57-wmr3
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
12
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@4.4.51
purl pkg:composer/symfony/symfony@4.4.51
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.51
1
url pkg:composer/symfony/symfony@5.0.0-BETA1
purl pkg:composer/symfony/symfony@5.0.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-qwcj-hq3g-2qd7
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.0.0-BETA1
2
url pkg:composer/symfony/symfony@5.4.31
purl pkg:composer/symfony/symfony@5.4.31
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-kgu6-gj5d-7bfx
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.31
3
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
4
url pkg:composer/symfony/symfony@6.3.8
purl pkg:composer/symfony/symfony@6.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.3.8
5
url pkg:composer/symfony/symfony@6.4.0-BETA1
purl pkg:composer/symfony/symfony@6.4.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.0-BETA1
aliases CVE-2023-46734, GHSA-q847-2q57-wmr3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bdhj-np35-sybt
4
url VCID-c8ar-82sr-fqej
vulnerability_id VCID-c8ar-82sr-fqej
summary 
Symfony has an incorrect response from Validator when input ends with `\n`
### Description

It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`.

### Resolution

Symfony now uses the `D` regex modifier to match the entire input.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4.

### Credits

We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50343
reference_id
reference_type
scores
0
value 0.00246
scoring_system epss
scoring_elements 0.47872
published_at 2026-04-04T12:55:00Z
1
value 0.00246
scoring_system epss
scoring_elements 0.4788
published_at 2026-04-13T12:55:00Z
2
value 0.00246
scoring_system epss
scoring_elements 0.47871
published_at 2026-04-12T12:55:00Z
3
value 0.00246
scoring_system epss
scoring_elements 0.47893
published_at 2026-04-11T12:55:00Z
4
value 0.00246
scoring_system epss
scoring_elements 0.47869
published_at 2026-04-09T12:55:00Z
5
value 0.00246
scoring_system epss
scoring_elements 0.47874
published_at 2026-04-08T12:55:00Z
6
value 0.00246
scoring_system epss
scoring_elements 0.47821
published_at 2026-04-07T12:55:00Z
7
value 0.00246
scoring_system epss
scoring_elements 0.4785
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50343
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50343
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50343
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml
4
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
5
reference_url https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:25:47Z/
url https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f
6
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:25:47Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9
7
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50343
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50343
9
reference_url https://symfony.com/cve-2024-50343
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50343
10
reference_url https://github.com/advisories/GHSA-g3rh-rrhp-jhh9
reference_id GHSA-g3rh-rrhp-jhh9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g3rh-rrhp-jhh9
11
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@5.4.43
purl pkg:composer/symfony/symfony@5.4.43
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-en6a-wp7q-fbfs
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.43
1
url pkg:composer/symfony/symfony@6.4.11
purl pkg:composer/symfony/symfony@6.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-en6a-wp7q-fbfs
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.11
2
url pkg:composer/symfony/symfony@7.1.4
purl pkg:composer/symfony/symfony@7.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-en6a-wp7q-fbfs
4
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.4
aliases CVE-2024-50343, GHSA-g3rh-rrhp-jhh9
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8ar-82sr-fqej
5
url VCID-j2su-wjra-tbh1
vulnerability_id VCID-j2su-wjra-tbh1
summary 
Improper Neutralization of Formula Elements in a CSV File
`Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-41270
reference_id
reference_type
scores
0
value 0.00871
scoring_system epss
scoring_elements 0.75164
published_at 2026-04-01T12:55:00Z
1
value 0.00871
scoring_system epss
scoring_elements 0.7522
published_at 2026-04-12T12:55:00Z
2
value 0.00871
scoring_system epss
scoring_elements 0.75242
published_at 2026-04-11T12:55:00Z
3
value 0.00871
scoring_system epss
scoring_elements 0.75221
published_at 2026-04-09T12:55:00Z
4
value 0.00871
scoring_system epss
scoring_elements 0.75209
published_at 2026-04-13T12:55:00Z
5
value 0.00871
scoring_system epss
scoring_elements 0.75174
published_at 2026-04-07T12:55:00Z
6
value 0.00871
scoring_system epss
scoring_elements 0.75198
published_at 2026-04-04T12:55:00Z
7
value 0.00871
scoring_system epss
scoring_elements 0.75167
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-41270
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41270
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41270
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/CVE-2021-41270.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/serializer/CVE-2021-41270.yaml
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41270.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41270.yaml
4
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
5
reference_url https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8
6
reference_url https://github.com/symfony/symfony/pull/44243
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/pull/44243
7
reference_url https://github.com/symfony/symfony/releases/tag/v5.3.12
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/releases/tag/v5.3.12
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP/
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP/
16
reference_url https://symfony.com/cve-2021-41270
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2021-41270
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-41270
reference_id CVE-2021-41270
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-41270
18
reference_url https://github.com/advisories/GHSA-2xhg-w2g5-w95x
reference_id GHSA-2xhg-w2g5-w95x
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2xhg-w2g5-w95x
19
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
reference_id GHSA-2xhg-w2g5-w95x
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
20
reference_url https://usn.ubuntu.com/USN-5290-1/
reference_id USN-USN-5290-1
reference_type
scores
url https://usn.ubuntu.com/USN-5290-1/
fixed_packages
0
url pkg:composer/symfony/symfony@4.4.35
purl pkg:composer/symfony/symfony@4.4.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-kgu6-gj5d-7bfx
6
vulnerability VCID-p1dw-w76f-gbfv
7
vulnerability VCID-qwcj-hq3g-2qd7
8
vulnerability VCID-rgh3-ef8t-k3ec
9
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.35
1
url pkg:composer/symfony/symfony@5.0.0-BETA1
purl pkg:composer/symfony/symfony@5.0.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-qwcj-hq3g-2qd7
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.0.0-BETA1
2
url pkg:composer/symfony/symfony@5.3.12
purl pkg:composer/symfony/symfony@5.3.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
8
vulnerability VCID-qwcj-hq3g-2qd7
9
vulnerability VCID-rgh3-ef8t-k3ec
10
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.12
3
url pkg:composer/symfony/symfony@5.4.0-BETA1
purl pkg:composer/symfony/symfony@5.4.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
8
vulnerability VCID-rgh3-ef8t-k3ec
9
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.0-BETA1
aliases CVE-2021-41270, GHSA-2xhg-w2g5-w95x
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j2su-wjra-tbh1
6
url VCID-kgu6-gj5d-7bfx
vulnerability_id VCID-kgu6-gj5d-7bfx
summary 
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows
### Summary
The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters.

This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended.

### Impact
If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive.

The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration).

### Resolution
Upgrade to a Symfony release that includes the fix from symfony/symfony#63164 (which updates Windows argument escaping to ensure arguments containing = and other MSYS2-sensitive characters are properly quoted/escaped).
The patch for branch 5.4 is available at https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b

### Workarounds / Mitigations
Avoid running PHP/your tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables.
Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2.
Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24739
reference_id
reference_type
scores
0
value 8e-05
scoring_system epss
scoring_elements 0.00719
published_at 2026-04-02T12:55:00Z
1
value 8e-05
scoring_system epss
scoring_elements 0.00716
published_at 2026-04-04T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.00894
published_at 2026-04-12T12:55:00Z
3
value 9e-05
scoring_system epss
scoring_elements 0.00899
published_at 2026-04-11T12:55:00Z
4
value 9e-05
scoring_system epss
scoring_elements 0.00911
published_at 2026-04-09T12:55:00Z
5
value 9e-05
scoring_system epss
scoring_elements 0.00913
published_at 2026-04-08T12:55:00Z
6
value 9e-05
scoring_system epss
scoring_elements 0.0091
published_at 2026-04-07T12:55:00Z
7
value 9e-05
scoring_system epss
scoring_elements 0.00895
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24739
1
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
2
reference_url https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/
url https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
3
reference_url https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/
url https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
4
reference_url https://github.com/symfony/symfony/issues/62921
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/
url https://github.com/symfony/symfony/issues/62921
5
reference_url https://github.com/symfony/symfony/pull/63164
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/
url https://github.com/symfony/symfony/pull/63164
6
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-29T16:03:49Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24739
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24739
8
reference_url https://github.com/advisories/GHSA-r39x-jcww-82v6
reference_id GHSA-r39x-jcww-82v6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r39x-jcww-82v6
fixed_packages
0
url pkg:composer/symfony/symfony@5.4.51
purl pkg:composer/symfony/symfony@5.4.51
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.51
1
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
2
url pkg:composer/symfony/symfony@6.4.33
purl pkg:composer/symfony/symfony@6.4.33
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.33
3
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
4
url pkg:composer/symfony/symfony@7.3.11
purl pkg:composer/symfony/symfony@7.3.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.3.11
5
url pkg:composer/symfony/symfony@7.4.0-BETA1
purl pkg:composer/symfony/symfony@7.4.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.0-BETA1
6
url pkg:composer/symfony/symfony@7.4.5
purl pkg:composer/symfony/symfony@7.4.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.5
7
url pkg:composer/symfony/symfony@8.0.0-BETA1
purl pkg:composer/symfony/symfony@8.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@8.0.0-BETA1
8
url pkg:composer/symfony/symfony@8.0.5
purl pkg:composer/symfony/symfony@8.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@8.0.5
aliases CVE-2026-24739, GHSA-r39x-jcww-82v6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kgu6-gj5d-7bfx
7
url VCID-p1dw-w76f-gbfv
vulnerability_id VCID-p1dw-w76f-gbfv
summary 
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64500
reference_id
reference_type
scores
0
value 0.00047
scoring_system epss
scoring_elements 0.14662
published_at 2026-04-02T12:55:00Z
1
value 0.0197
scoring_system epss
scoring_elements 0.83538
published_at 2026-04-12T12:55:00Z
2
value 0.0197
scoring_system epss
scoring_elements 0.83544
published_at 2026-04-11T12:55:00Z
3
value 0.02482
scoring_system epss
scoring_elements 0.85295
published_at 2026-04-13T12:55:00Z
4
value 0.03928
scoring_system epss
scoring_elements 0.88291
published_at 2026-04-04T12:55:00Z
5
value 0.03928
scoring_system epss
scoring_elements 0.88321
published_at 2026-04-09T12:55:00Z
6
value 0.03928
scoring_system epss
scoring_elements 0.88316
published_at 2026-04-08T12:55:00Z
7
value 0.03928
scoring_system epss
scoring_elements 0.88296
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64500
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500
2
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
3
reference_url https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64500
reference_id CVE-2025-64500
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64500
5
reference_url https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
reference_id CVE-2025-64500-INCORRECT-PARSING-OF-PATH-INFO-CAN-LEAD-TO-LIMITED-AUTHORIZATION-BYPASS
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml
reference_id CVE-2025-64500.YAML
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
reference_id CVE-2025-64500.YAML
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
8
reference_url https://github.com/advisories/GHSA-3rg7-wf37-54rm
reference_id GHSA-3rg7-wf37-54rm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3rg7-wf37-54rm
9
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
reference_id GHSA-3rg7-wf37-54rm
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
fixed_packages
0
url pkg:composer/symfony/symfony@5.4.50
purl pkg:composer/symfony/symfony@5.4.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.50
1
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
2
url pkg:composer/symfony/symfony@6.4.29
purl pkg:composer/symfony/symfony@6.4.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.29
3
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
4
url pkg:composer/symfony/symfony@7.3.7
purl pkg:composer/symfony/symfony@7.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.3.7
5
url pkg:composer/symfony/symfony@7.4.0-BETA1
purl pkg:composer/symfony/symfony@7.4.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.0-BETA1
aliases CVE-2025-64500, GHSA-3rg7-wf37-54rm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p1dw-w76f-gbfv
8
url VCID-qwcj-hq3g-2qd7
vulnerability_id VCID-qwcj-hq3g-2qd7
summary 
Cross-Site Request Forgery (CSRF)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23601
reference_id
reference_type
scores
0
value 0.00173
scoring_system epss
scoring_elements 0.38775
published_at 2026-04-08T12:55:00Z
1
value 0.00173
scoring_system epss
scoring_elements 0.38735
published_at 2026-04-13T12:55:00Z
2
value 0.00173
scoring_system epss
scoring_elements 0.38762
published_at 2026-04-12T12:55:00Z
3
value 0.00173
scoring_system epss
scoring_elements 0.38798
published_at 2026-04-11T12:55:00Z
4
value 0.00173
scoring_system epss
scoring_elements 0.38787
published_at 2026-04-09T12:55:00Z
5
value 0.00173
scoring_system epss
scoring_elements 0.38726
published_at 2026-04-07T12:55:00Z
6
value 0.00173
scoring_system epss
scoring_elements 0.38797
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23601
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2022-23601.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2022-23601.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-23601.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-23601.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:46Z/
url https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50
5
reference_url https://symfony.com/cve-2022-23601
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2022-23601
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23601
reference_id CVE-2022-23601
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23601
7
reference_url https://github.com/advisories/GHSA-vvmr-8829-6whx
reference_id GHSA-vvmr-8829-6whx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vvmr-8829-6whx
8
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-vvmr-8829-6whx
reference_id GHSA-vvmr-8829-6whx
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:46Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-vvmr-8829-6whx
fixed_packages
0
url pkg:composer/symfony/symfony@5.3.15
purl pkg:composer/symfony/symfony@5.3.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
8
vulnerability VCID-rgh3-ef8t-k3ec
9
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.15
1
url pkg:composer/symfony/symfony@5.4.4
purl pkg:composer/symfony/symfony@5.4.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
8
vulnerability VCID-rgh3-ef8t-k3ec
9
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.4
2
url pkg:composer/symfony/symfony@6.0.4
purl pkg:composer/symfony/symfony@6.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
7
vulnerability VCID-rgh3-ef8t-k3ec
8
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.4
aliases CVE-2022-23601, GHSA-vvmr-8829-6whx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qwcj-hq3g-2qd7
9
url VCID-rgh3-ef8t-k3ec
vulnerability_id VCID-rgh3-ef8t-k3ec
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24894
reference_id
reference_type
scores
0
value 0.00188
scoring_system epss
scoring_elements 0.40661
published_at 2026-04-08T12:55:00Z
1
value 0.00188
scoring_system epss
scoring_elements 0.40634
published_at 2026-04-13T12:55:00Z
2
value 0.00188
scoring_system epss
scoring_elements 0.40653
published_at 2026-04-12T12:55:00Z
3
value 0.00188
scoring_system epss
scoring_elements 0.40688
published_at 2026-04-11T12:55:00Z
4
value 0.00188
scoring_system epss
scoring_elements 0.4067
published_at 2026-04-09T12:55:00Z
5
value 0.00188
scoring_system epss
scoring_elements 0.4061
published_at 2026-04-07T12:55:00Z
6
value 0.00188
scoring_system epss
scoring_elements 0.40689
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24894
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24894
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24894
2
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
3
reference_url https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:29Z/
url https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
4
reference_url https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:29Z/
url https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24894
reference_id CVE-2022-24894
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24894
6
reference_url https://symfony.com/cve-2022-24894
reference_id CVE-2022-24894
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2022-24894
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
reference_id CVE-2022-24894.YAML
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
8
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
reference_id CVE-2022-24894.YAML
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
9
reference_url https://github.com/advisories/GHSA-h7vf-5wrv-9fhv
reference_id GHSA-h7vf-5wrv-9fhv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h7vf-5wrv-9fhv
10
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
reference_id GHSA-h7vf-5wrv-9fhv
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:29Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
11
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@4.4.50
purl pkg:composer/symfony/symfony@4.4.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-kgu6-gj5d-7bfx
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.50
1
url pkg:composer/symfony/symfony@5.0.0-BETA1
purl pkg:composer/symfony/symfony@5.0.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-qwcj-hq3g-2qd7
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.0.0-BETA1
2
url pkg:composer/symfony/symfony@5.4.20
purl pkg:composer/symfony/symfony@5.4.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.20
3
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
4
url pkg:composer/symfony/symfony@6.0.20
purl pkg:composer/symfony/symfony@6.0.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.20
5
url pkg:composer/symfony/symfony@6.1.0-BETA1
purl pkg:composer/symfony/symfony@6.1.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.1.0-BETA1
6
url pkg:composer/symfony/symfony@6.1.12
purl pkg:composer/symfony/symfony@6.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.1.12
7
url pkg:composer/symfony/symfony@6.2.0-BETA1
purl pkg:composer/symfony/symfony@6.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.2.0-BETA1
8
url pkg:composer/symfony/symfony@6.2.6
purl pkg:composer/symfony/symfony@6.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
7
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.2.6
aliases CVE-2022-24894, GHSA-h7vf-5wrv-9fhv, GMS-2023-209, GMS-2023-212
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rgh3-ef8t-k3ec
10
url VCID-thtp-ehsj-t3ej
vulnerability_id VCID-thtp-ehsj-t3ej
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24895
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.05621
published_at 2026-04-02T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05684
published_at 2026-04-13T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.0569
published_at 2026-04-12T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05697
published_at 2026-04-11T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05718
published_at 2026-04-09T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05691
published_at 2026-04-08T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05653
published_at 2026-04-07T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.0566
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24895
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24895
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24895
2
reference_url https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/
url https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/
url https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4
5
reference_url https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/
url https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24895
reference_id CVE-2022-24895
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24895
7
reference_url https://symfony.com/cve-2022-24895
reference_id CVE-2022-24895
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2022-24895
8
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml
reference_id CVE-2022-24895.YAML
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml
9
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml
reference_id CVE-2022-24895.YAML
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24895.yaml
10
reference_url https://github.com/advisories/GHSA-3gv2-29qc-v67m
reference_id GHSA-3gv2-29qc-v67m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3gv2-29qc-v67m
11
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m
reference_id GHSA-3gv2-29qc-v67m
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m
12
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@4.4.50
purl pkg:composer/symfony/symfony@4.4.50
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-kgu6-gj5d-7bfx
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.50
1
url pkg:composer/symfony/symfony@5.0.0-BETA1
purl pkg:composer/symfony/symfony@5.0.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-qwcj-hq3g-2qd7
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.0.0-BETA1
2
url pkg:composer/symfony/symfony@5.4.20
purl pkg:composer/symfony/symfony@5.4.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.4.20
3
url pkg:composer/symfony/symfony@6.0.0-BETA1
purl pkg:composer/symfony/symfony@6.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.0-BETA1
4
url pkg:composer/symfony/symfony@6.0.20
purl pkg:composer/symfony/symfony@6.0.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.0.20
5
url pkg:composer/symfony/symfony@6.1.0-BETA1
purl pkg:composer/symfony/symfony@6.1.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.1.0-BETA1
6
url pkg:composer/symfony/symfony@6.1.12
purl pkg:composer/symfony/symfony@6.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.1.12
7
url pkg:composer/symfony/symfony@6.2.0-BETA1
purl pkg:composer/symfony/symfony@6.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.2.0-BETA1
8
url pkg:composer/symfony/symfony@6.2.6
purl pkg:composer/symfony/symfony@6.2.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-p1dw-w76f-gbfv
7
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.2.6
aliases CVE-2022-24895, GHSA-3gv2-29qc-v67m, GMS-2023-210, GMS-2023-211
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-thtp-ehsj-t3ej
Fixing_vulnerabilities
0
url VCID-e71e-d4tr-wqgz
vulnerability_id VCID-e71e-d4tr-wqgz
summary 
Prevent user enumeration using Guard or the new Authenticator-based Security
Description
-----------

The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user.

Resolution
----------

We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4.

Credits
-------

I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21424
reference_id
reference_type
scores
0
value 0.00266
scoring_system epss
scoring_elements 0.50055
published_at 2026-04-02T12:55:00Z
1
value 0.00266
scoring_system epss
scoring_elements 0.50068
published_at 2026-04-13T12:55:00Z
2
value 0.00266
scoring_system epss
scoring_elements 0.50072
published_at 2026-04-12T12:55:00Z
3
value 0.00266
scoring_system epss
scoring_elements 0.50098
published_at 2026-04-11T12:55:00Z
4
value 0.00266
scoring_system epss
scoring_elements 0.50081
published_at 2026-04-09T12:55:00Z
5
value 0.00266
scoring_system epss
scoring_elements 0.50088
published_at 2026-04-08T12:55:00Z
6
value 0.00266
scoring_system epss
scoring_elements 0.50017
published_at 2026-04-01T12:55:00Z
7
value 0.00266
scoring_system epss
scoring_elements 0.50033
published_at 2026-04-07T12:55:00Z
8
value 0.00266
scoring_system epss
scoring_elements 0.50083
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21424
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21424
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21424
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/lexik/jwt-authentication-bundle/CVE-2021-21424.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/lexik/jwt-authentication-bundle/CVE-2021-21424.yaml
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/maker-bundle/CVE-2021-21424.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/maker-bundle/CVE-2021-21424.yaml
4
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2021-21424.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2021-21424.yaml
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-guard/CVE-2021-21424.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-guard/CVE-2021-21424.yaml
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-21424.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-21424.yaml
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-21424.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-21424.yaml
8
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
9
reference_url https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011
10
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68
11
reference_url https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW
19
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21424
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21424
21
reference_url https://symfony.com/cve-2021-21424
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2021-21424
22
reference_url https://github.com/advisories/GHSA-5pv8-ppvj-4h68
reference_id GHSA-5pv8-ppvj-4h68
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5pv8-ppvj-4h68
23
reference_url https://usn.ubuntu.com/USN-5290-1/
reference_id USN-USN-5290-1
reference_type
scores
url https://usn.ubuntu.com/USN-5290-1/
fixed_packages
0
url pkg:composer/symfony/symfony@3.4.48
purl pkg:composer/symfony/symfony@3.4.48
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-9bzz-84cq-ykh2
2
vulnerability VCID-bdhj-np35-sybt
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-qwcj-hq3g-2qd7
7
vulnerability VCID-rgh3-ef8t-k3ec
8
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.48
1
url pkg:composer/symfony/symfony@3.4.49
purl pkg:composer/symfony/symfony@3.4.49
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-9bzz-84cq-ykh2
2
vulnerability VCID-bdhj-np35-sybt
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-qwcj-hq3g-2qd7
7
vulnerability VCID-rgh3-ef8t-k3ec
8
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.4.49
2
url pkg:composer/symfony/symfony@4.4.23
purl pkg:composer/symfony/symfony@4.4.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-j2su-wjra-tbh1
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
8
vulnerability VCID-qwcj-hq3g-2qd7
9
vulnerability VCID-rgh3-ef8t-k3ec
10
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.23
3
url pkg:composer/symfony/symfony@4.4.24
purl pkg:composer/symfony/symfony@4.4.24
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-j2su-wjra-tbh1
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-p1dw-w76f-gbfv
8
vulnerability VCID-qwcj-hq3g-2qd7
9
vulnerability VCID-rgh3-ef8t-k3ec
10
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.24
4
url pkg:composer/symfony/symfony@5.2.8
purl pkg:composer/symfony/symfony@5.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-j2su-wjra-tbh1
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-n3d2-zwve-gbf5
8
vulnerability VCID-p1dw-w76f-gbfv
9
vulnerability VCID-qwcj-hq3g-2qd7
10
vulnerability VCID-rgh3-ef8t-k3ec
11
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.2.8
5
url pkg:composer/symfony/symfony@5.2.9
purl pkg:composer/symfony/symfony@5.2.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-j2su-wjra-tbh1
6
vulnerability VCID-kgu6-gj5d-7bfx
7
vulnerability VCID-n3d2-zwve-gbf5
8
vulnerability VCID-p1dw-w76f-gbfv
9
vulnerability VCID-qwcj-hq3g-2qd7
10
vulnerability VCID-rgh3-ef8t-k3ec
11
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.2.9
aliases CVE-2021-21424, GHSA-5pv8-ppvj-4h68
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e71e-d4tr-wqgz
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@4.4.24