Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/symfony@4.4.19%2Bdfsg-3?distro=trixie
purl pkg:deb/debian/symfony@4.4.19%2Bdfsg-3?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-j2su-wjra-tbh1 Improper Neutralization of Formula Elements in a CSV File `Symfony/Serializer` handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony is vulnerable to CSV injection, also known as formula injection. In Symfony, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list, Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. CVE-2021-41270
GHSA-2xhg-w2g5-w95x

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T09:53:30.555399+00:00 Debian Importer Fixing VCID-j2su-wjra-tbh1 https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T06:37:03.873084+00:00 Debian Importer Fixing VCID-j2su-wjra-tbh1 https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:53:42.884616+00:00 Debian Importer Fixing VCID-j2su-wjra-tbh1 https://security-tracker.debian.org/tracker/data/json 38.1.0