{"url":"http://public2.vulnerablecode.io/api/packages/200855?format=json","purl":"pkg:composer/symfony/http-foundation@2.5.0-RC1","type":"composer","namespace":"symfony","name":"http-foundation","version":"2.5.0-RC1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.8.52","latest_non_vulnerable_version":"7.3.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52037?format=json","vulnerability_id":"VCID-37et-21qw-skd7","summary":"Improper Input Validation\nIf an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18888","reference_id":"","reference_type":"","scores":[{"value":"0.0231","scoring_system":"epss","scoring_elements":"0.85061","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18888"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml"},{"reference_url":"https://github.com/symfony/symfony/releases/tag/v4.3.8","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/releases/tag/v4.3.8"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18888","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18888"},{"reference_url":"https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser"},{"reference_url":"https://symfony.com/blog/symfony-4-3-8-released","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/symfony-4-3-8-released"},{"reference_url":"https://symfony.com/cve-2019-18888","reference_id":"CVE-2019-18888","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2019-18888"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76270?format=json","purl":"pkg:composer/symfony/http-foundation@2.8.52","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.8.52"},{"url":"http://public2.vulnerablecode.io/api/packages/76271?format=json","purl":"pkg:composer/symfony/http-foundation@3.4.35","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.4.35"},{"url":"http://public2.vulnerablecode.io/api/packages/76272?format=json","purl":"pkg:composer/symfony/http-foundation@4.2.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.2.12"},{"url":"http://public2.vulnerablecode.io/api/packages/76273?format=json","purl":"pkg:composer/symfony/http-foundation@4.3.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.3.8"}],"aliases":["CVE-2019-18888","GHSA-xhh6-956q-4q69"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-37et-21qw-skd7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37838?format=json","vulnerability_id":"VCID-5pmg-t1rb-wbd4","summary":"Unsafe methods in the Request class\nThe `Symfony\\Component\\HttpFoundation\\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a \"non-trusted\" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`.","references":[{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2015-2309.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2015-2309.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2309.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2309.yaml"},{"reference_url":"https://github.com/symfony/symfony/commit/6c73f0ce9302a0091bbfbb96f317e400ce16ef84","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/commit/6c73f0ce9302a0091bbfbb96f317e400ce16ef84"},{"reference_url":"https://github.com/symfony/symfony/pull/14166","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/pull/14166"},{"reference_url":"https://symfony.com/cve-2015-2309","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2015-2309"},{"reference_url":"http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class","reference_id":"CVE-2015-2309-UNSAFE-METHODS-IN-THE-REQUEST-CLASS","reference_type":"","scores":[],"url":"http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52236?format=json","purl":"pkg:composer/symfony/http-foundation@2.5.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-nsuz-7sdv-abef"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.11"},{"url":"http://public2.vulnerablecode.io/api/packages/52237?format=json","purl":"pkg:composer/symfony/http-foundation@2.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-nsuz-7sdv-abef"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.6.6"},{"url":"http://public2.vulnerablecode.io/api/packages/200868?format=json","purl":"pkg:composer/symfony/http-foundation@2.6.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-nsuz-7sdv-abef"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.6.8"}],"aliases":["CVE-2015-2309","GHSA-p684-f7fh-jv2j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5pmg-t1rb-wbd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39968?format=json","vulnerability_id":"VCID-nsuz-7sdv-abef","summary":"Insufficient Session Expiration\nThe `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11386","reference_id":"","reference_type":"","scores":[{"value":"0.01086","scoring_system":"epss","scoring_elements":"0.78244","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11386"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml"},{"reference_url":"https://github.com/symfony/symfony","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11386","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11386"},{"reference_url":"https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler"},{"reference_url":"https://www.debian.org/security/2018/dsa-4262","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4262"},{"reference_url":"https://symfony.com/cve-2018-11386","reference_id":"CVE-2018-11386","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/cve-2018-11386"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/155132?format=json","purl":"pkg:composer/symfony/http-foundation@2.7.48","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-nsuz-7sdv-abef"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.7.48"},{"url":"http://public2.vulnerablecode.io/api/packages/55861?format=json","purl":"pkg:composer/symfony/http-foundation@2.8.41","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.8.41"},{"url":"http://public2.vulnerablecode.io/api/packages/155133?format=json","purl":"pkg:composer/symfony/http-foundation@3.3.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-nsuz-7sdv-abef"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.3.17"},{"url":"http://public2.vulnerablecode.io/api/packages/55862?format=json","purl":"pkg:composer/symfony/http-foundation@3.4.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.4.11"},{"url":"http://public2.vulnerablecode.io/api/packages/55863?format=json","purl":"pkg:composer/symfony/http-foundation@4.0.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.11"}],"aliases":["CVE-2018-11386","GHSA-r2rq-3h56-fqm4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nsuz-7sdv-abef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40154?format=json","vulnerability_id":"VCID-qqd1-smb1-sbe8","summary":"URL Rewrite vulnerability\nAn issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-14773","reference_id":"","reference_type":"","scores":[{"value":"0.16652","scoring_system":"epss","scoring_elements":"0.95049","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-14773"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml"},{"reference_url":"https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-14773","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-14773"},{"reference_url":"https://seclists.org/bugtraq/2019/May/21","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/May/21"},{"reference_url":"https://www.debian.org/security/2019/dsa-4441","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4441"},{"reference_url":"https://www.drupal.org/SA-CORE-2018-005","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.drupal.org/SA-CORE-2018-005"},{"reference_url":"http://www.securityfocus.com/bid/104943","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/104943"},{"reference_url":"http://www.securitytracker.com/id/1041405","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1041405"},{"reference_url":"https://security.archlinux.org/AVG-744","reference_id":"AVG-744","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-744"},{"reference_url":"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers","reference_id":"CVE-2018-14773-REMOVE-SUPPORT-FOR-LEGACY-AND-RISKY-HTTP-HEADERS","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/154174?format=json","purl":"pkg:composer/symfony/http-foundation@2.7.49","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.7.49"},{"url":"http://public2.vulnerablecode.io/api/packages/56264?format=json","purl":"pkg:composer/symfony/http-foundation@2.8.44","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.8.44"},{"url":"http://public2.vulnerablecode.io/api/packages/154175?format=json","purl":"pkg:composer/symfony/http-foundation@3.3.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"},{"vulnerability":"VCID-qqd1-smb1-sbe8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.3.18"},{"url":"http://public2.vulnerablecode.io/api/packages/56265?format=json","purl":"pkg:composer/symfony/http-foundation@3.4.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@3.4.14"},{"url":"http://public2.vulnerablecode.io/api/packages/56266?format=json","purl":"pkg:composer/symfony/http-foundation@4.0.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.14"},{"url":"http://public2.vulnerablecode.io/api/packages/56267?format=json","purl":"pkg:composer/symfony/http-foundation@4.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37et-21qw-skd7"},{"vulnerability":"VCID-7m45-bvbn-4qd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.1.3"}],"aliases":["CVE-2018-14773","GHSA-8wgj-6wx8-h5hq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@2.5.0-RC1"}