prod
Drupal 11
51 vulnerabilities has been found
0 abandonned packages has been found
Last analyse : 22 hours ago
No result.
51 vulnerabilities has been found
| # | Total | C | H | M | L | |
|---|---|---|---|---|---|---|
| Composer | 51 | 0 | 5 | 10 | 12 | 0 |
Composer
high Twig has a possible sandbox bypass
Affected versions : >=3.0.0,<3.14.0|>=2.0.0,<2.16.1|>=1.0.0,<1.44.8Patched versions : 1.44.8 2.16.1 3.14.0
https://github.com/advisories/GHSA-6j75-5wfj-gh66
Reported 9/9/24
CVE-2024-45411
Sandbox `__toString()` policy bypass via dynamic mapping keys
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Patched versions :
https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynamic-mapping-keys
Reported 5/27/26
CVE-2026-48806
`template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name
Affected versions : >=3.9.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-46634
Reported 5/20/26
CVE-2026-46634
low Unguarded calls to __isset() and to array-accesses when the sandbox is enabled
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Patched versions : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__isset-and-to-array-accesses-when-the-sandbox-is-enabled
Reported 11/6/24
CVE-2024-51755
`{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-46638
Reported 5/20/26
CVE-2026-46638
Sandbox: multiple `__toString()` policy bypasses via unguarded string coercion points
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-47732
Reported 5/20/26
CVE-2026-47732
Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Patched versions :
https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-the-column-filter-under-sourcepolicyinterface
Reported 5/27/26
CVE-2026-48808
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Patched versions :
https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-internal-wrappers-in-src-resources-core-php
Reported 5/27/26
CVE-2026-48805
Possible sandbox bypass when using a source policy
Affected versions : >=2.16.0,<3.0.0|>=3.9.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-24425
Reported 5/20/26
CVE-2026-24425
PHP code injection via `{% use %}` template name
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-46633
Reported 5/20/26
CVE-2026-46633
Sandbox does not protect against resource exhaustion
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-46627
Reported 5/20/26
CVE-2026-46627
Sandbox property allowlist bypass via the `column` filter (array_column on objects)
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-46635
Reported 5/20/26
CVE-2026-46635
The `spaceless` filter implicitly marks its output as safe
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-46628
Reported 5/20/26
CVE-2026-46628
XSS in profiler HtmlDumper via unescaped template and profile names
Affected versions : >=3.0.0,<3.26.0Patched versions :
https://symfony.com/cve-2026-47730
Reported 5/20/26
CVE-2026-47730
Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and `in`/`not in` operators
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Patched versions :
https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-traversable-in-join-replace-and-in-not-in-operators
Reported 5/27/26
CVE-2026-48807
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0Patched versions :
https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders
Reported 5/27/26
CVE-2026-46636
low Unguarded calls to __toString() when nesting an object into an array
Affected versions : >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.11.2|>=3.12.0,<3.14.1Patched versions : 3.11.2 3.14.1
https://symfony.com/blog/unguarded-calls-to-__tostring-when-nesting-an-object-into-an-array
Reported 11/6/24
CVE-2024-51754
high Drupal core contains a potential PHP Object Injection vulnerability
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-w6rx-9g2x-mg5g
Reported 12/10/24
CVE-2024-55637
medium Drupal core is Vulnerable to Cross-Site Scripting
Affected versions : >=11.3.0,<11.3.7|>=11.0.0,<11.2.11|>=10.6.0,<10.6.7|>=8.0.0,<10.5.9Patched versions : 10.5.9 10.6.7 11.2.11 11.3.7
https://github.com/advisories/GHSA-f3cj-mjqm-fhvj
Reported 5/20/26
CVE-2026-6365
medium Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
Affected versions : >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13Patched versions : 10.3.13 10.4.3 11.0.12 11.1.3
https://github.com/advisories/GHSA-2qph-q8xw-gv7q
Reported 4/1/25
CVE-2025-31674
medium Drupal core allows Object Injection
Affected versions : >=11.3.0,<11.3.7|>=11.0.0,<11.2.11|>=10.6.0,<10.6.7|>=8.0.0,<10.5.9Patched versions : 10.5.9 10.6.7 11.2.11 11.3.7
https://github.com/advisories/GHSA-xmjc-63pr-2mpg
Reported 5/20/26
CVE-2026-6366
medium Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
Affected versions : >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13Patched versions : 10.3.13 10.4.3 11.0.12 11.1.3
https://github.com/advisories/GHSA-39g6-x4x8-5jcm
Reported 4/1/25
CVE-2025-3057
medium Drupal Core Vulnerable to Forceful Browsing
Affected versions : >=11.1.0,<11.1.3|>=11.0.0,<11.0.12|>=10.4.0,<10.4.3|>=8.0.0,<10.3.13Patched versions : 10.3.13 10.4.3 11.0.12 11.1.3
https://github.com/advisories/GHSA-wpp8-fjgf-pwc7
Reported 4/1/25
CVE-2025-31673
medium Drupal core Access bypass
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.0.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-7cwc-fjqm-8vh8
Reported 12/10/24
CVE-2024-55634
medium Drupal core allows Object Injection
Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-m6vv-vcj8-w8m7
Reported 11/18/25
CVE-2025-13081
medium Drupal Core Cross-Site Scripting (XSS)
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-8mvq-8h2v-j9vf
Reported 12/10/24
CVE-2024-12393
low Drupal Core Cross-Site Scripting (XSS) Vulnerability
Affected versions : >=11.1.0,<11.1.5|>=11.0.0,<11.0.13|>=10.4.0,<10.4.5|>=8.0.0,<10.3.14Patched versions : 10.3.14 10.4.5 11.0.13 11.1.5
https://github.com/advisories/GHSA-m4wj-hhwj-47qp
Reported 4/1/25
CVE-2025-31675
low Drupal core allows Forceful Browsing
Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-83v7-c2cf-p9c2
Reported 11/18/25
CVE-2025-13080
low Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-mhpg-hpj5-73r2
Reported 11/18/25
CVE-2025-13083
low Drupal core allows Content Spoofing
Affected versions : >=11.2.0,<11.2.8|>=11.0.0,<11.1.9|>=10.5.0,<10.5.6|>=8.0.0,<10.4.9Patched versions : 10.4.9 10.5.6 11.1.9 11.2.8
https://github.com/advisories/GHSA-h89p-5896-f4q8
Reported 11/18/25
CVE-2025-13082
low Drupal core contains a potential PHP Object Injection vulnerability
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-938f-5r4f-h65v
Reported 12/10/24
CVE-2024-55636
low Drupal Full Path Disclosure
Affected versions : >=8.0.0,<=11.0.4Patched versions :
https://github.com/advisories/GHSA-mg8j-w93w-xjgc
Reported 8/29/24
CVE-2024-45440
5 drupal/core-recommended —— 11.0.1 +
high Drupal core contains a potential PHP Object Injection vulnerability
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-w6rx-9g2x-mg5g
Reported 12/10/24
CVE-2024-55637
medium Drupal Core Cross-Site Scripting (XSS)
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-8mvq-8h2v-j9vf
Reported 12/10/24
CVE-2024-12393
medium Drupal core Access bypass
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.0.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-7cwc-fjqm-8vh8
Reported 12/10/24
CVE-2024-55634
low Drupal Full Path Disclosure
Affected versions : >=8.0.0,<=11.0.4Patched versions :
https://github.com/advisories/GHSA-mg8j-w93w-xjgc
Reported 8/29/24
CVE-2024-45440
low Drupal core contains a potential PHP Object Injection vulnerability
Affected versions : >=11.0.0,<11.0.8|>=10.3.0,<10.3.9|>=8.8.0,<10.2.11Patched versions : 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8 10.2.11 10.3.9 11.0.8
https://github.com/advisories/GHSA-938f-5r4f-h65v
Reported 12/10/24
CVE-2024-55636
3 symfony/http-foundation —— v7.1.3 +
high CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.50|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.29|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.3.7Patched versions : 5.4.50 6.4.29 7.3.7 5.4.50 6.4.29 7.3.7
https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Reported 11/12/25
CVE-2025-64500
low CVE-2024-50345: Open redirect via browser-sanitized URLs
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-50345
Reported 11/5/24
CVE-2024-50345
CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Affected versions : >=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13Patched versions :
https://symfony.com/cve-2026-48736
Reported 5/26/26
CVE-2026-48736
high CVE-2024-51736: Command execution hijack on Windows with Process class
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7Patched versions : 5.4.46 6.4.14 7.1.7 5.4.46 6.4.14 7.1.7
https://symfony.com/cve-2024-51736
Reported 11/5/24
CVE-2024-51736
1 symfony/validator —— v7.1.3 +
low CVE-2024-50343: Incorrect response from Validator when input ends with ` `
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.43|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.11|>=7.0.0,<7.1.0|>=7.1.0,<7.1.4Patched versions : 5.4.43 6.4.11 7.1.4 5.4.43 6.4.11 7.1.4
https://symfony.com/cve-2024-50343
Reported 8/30/24
CVE-2024-50343
CVE-2026-45068: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45068
Reported 5/20/26
CVE-2026-45068
CVE-2026-45067: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45067
Reported 5/20/26
CVE-2026-45067
CVE-2026-45070: Email Header Injection via Non-Token Characters in Mime Parameter Names
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45070
Reported 5/20/26
CVE-2026-45070
CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13Patched versions :
https://symfony.com/cve-2026-48784
Reported 5/26/26
CVE-2026-48784
CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45065
Reported 5/20/26
CVE-2026-45065
CVE-2026-45133: YAML Parser Stack Exhaustion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45133
Reported 5/20/26
CVE-2026-45133
CVE-2026-45305: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45305
Reported 5/20/26
CVE-2026-45305
CVE-2026-45304: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansion ("Billion Laughs")
Affected versions : >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.52|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12Patched versions :
https://symfony.com/cve-2026-45304
Reported 5/20/26
CVE-2026-45304
1 symfony/polyfill-intl-idn —— v1.30.0 +
CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence
Affected versions : >=1.17.1,<1.38.1Patched versions :
https://symfony.com/cve-2026-46644
Reported 5/26/26
CVE-2026-46644
Share
Badge
[](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)
[](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)
[](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)
[](https://audit.security.code-rhapsodie.fr/en/project/01915a71-4001-750d-ad7c-c98dcadce439)