On 27 May 2026 the CERT‑FR issued an alert that several security vulnerabilities have been identified in the Symfony PHP framework. The flaws can allow attackers to perform server‑side request forgery (SSRF), remote indirect code injection (XSS) and bypass the framework’s security policy. Affected releases include Symfony 6.4.x before 6.4.41, 7.0.x before 7.4.13, 8.0.x before 8.0.13 and all versions earlier than 5.4.53. The advisory references multiple security bulletins from Symfony (GHSA‑38cx‑cq6f‑5755, GHSA‑6h46‑9jf5‑q59x, GHSA‑h5x3‑xfc9‑m39h, GHSA‑rrj9‑5q2j‑4gvr, GHSA‑v3wm‑qf9p‑c549, GHSA‑x5qj‑865h‑mgvm) and CVE identifiers (CVE‑2026‑48489, CVE‑2026‑48736, CVE‑2026‑48747, CVE‑2026‑48760, CVE‑2026‑48761, CVE‑2026‑48784). Users are advised to consult the Symfony security bulletins for patches and upgrade to the latest supported versions.
Summary of content from
Made by AI. If you spot anything of concern write us at contact@cybach.com. We’ll promptly correct irregularities.