Package Instance

Routes behind a firewall are accessible even when not logged in
Symfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.

Improper Restriction of XML External Entity Reference
Security issues related to the way XML is handled.