Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/symfony/process@7.1.7
purl pkg:composer/symfony/process@7.1.7
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-4num-z8cg-83gt Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix. CVE-2024-51736
GHSA-qq5c-677p-737q

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-07T04:56:21.257093+00:00 GHSA Importer Fixing VCID-4num-z8cg-83gt https://github.com/advisories/GHSA-qq5c-677p-737q 38.1.0
2026-04-02T12:40:20.561904+00:00 GitLab Importer Fixing VCID-4num-z8cg-83gt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/process/CVE-2024-51736.yml 38.0.0
2026-04-01T12:51:13.499828+00:00 GithubOSV Importer Fixing VCID-4num-z8cg-83gt https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qq5c-677p-737q/GHSA-qq5c-677p-737q.json 38.0.0