« Security Advisories » blog posts
Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
CVE-2021-41270: Prevent CSV Injection via formulas
November 24, 2021
#Security Advisories
CVE-2021-32693: Authentication granted to all firewalls instead of just one
June 17, 2021
#Security Advisories
CVE-2021-21424 prevents user enumeration in authentication mechanisms
May 12, 2021
#Security Advisories
CVE-2020-15094 fixes an issue to prevent RCE when calling untrusted remote with CachingHttpClient
September 2, 2020
#Security Advisories
CVE-2020-5275 fixes an issue preventing all rules set in "access_control" to be checked when a firewall is configured with the unanimous strategy
March 30, 2020
#Security Advisories
CVE-2020-5255 fixes a cache poisoning issue via a Response Content-Type header
March 30, 2020
#Security Advisories
CVE-2020-5274 fixes Exception message escaping rendered by ErrorHandler.
March 30, 2020
#Security Advisories
CVE-2019-11325 fixes an issue where some strings were not properly escaped while dumping, leading to possible remote code execution.
November 13, 2019
#Security Advisories
CVE-2019-18888 fixes an issue where provided file paths to the MimeTypeGuesser were not properly escaped before being executed.
November 13, 2019
#Security Advisories
CVE-2019-18886 fixes an issue where one could enumerate users using the switch user functionality as different behaviour would occur when a user existed compared to when a user did not
November 13, 2019
#Security Advisories