Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,923
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,376
Swift
54
Unreviewed advisories
All unreviewed
5,000+

18 advisories

Loading
symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form Low
CVE-2026-46644 was published for symfony/polyfill (Composer) May 28, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection Moderate
CVE-2026-45754 was published for symfony/lox24-notifier (Composer) May 28, 2026
alexandre-daubois Credited to alexandre-daubois, nicolas-grekas, and unknownhad nicolas-grekas nicolas-grekas
unknownhad unknownhad
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) Low
CVE-2026-45753 was published for symfony/html-sanitizer (Composer) May 28, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony hardened the parser when handling untrusted input Low
CVE-2026-45133 was published for symfony/symfony (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and suidpit suidpit suidpit
Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener High
CVE-2026-45077 was published for symfony/monolog-bridge (Composer) May 27, 2026
snoopysecurity Credited to snoopysecurity, nicolas-grekas, and a-tt-om nicolas-grekas nicolas-grekas
a-tt-om a-tt-om
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay Moderate
CVE-2026-45074 was published for symfony/security-http (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas
Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix Moderate
CVE-2026-45073 was published for symfony/cache (Composer) May 27, 2026
FORIMOC Credited to FORIMOC and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing Moderate
CVE-2026-45064 was published for symfony/html-sanitizer (Composer) May 27, 2026
nicolas-grekas Credited to nicolas-grekas and unknownhad unknownhad unknownhad
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows Moderate
CVE-2026-24739 was published for symfony/process (Composer) Jan 28, 2026
Seldaek Credited to Seldaek and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass High
CVE-2025-64500 was published for symfony/http-foundation (Composer) Nov 12, 2025
cs278 Credited to cs278 and nicolas-grekas nicolas-grekas nicolas-grekas
Twig has unguarded calls to `__isset()` and to array-accesses when the sandbox is enabled Low
CVE-2024-51755 was published for twig/twig (Composer) Nov 6, 2024
maantje Credited to maantje, nicolas-grekas, and G-Rath nicolas-grekas nicolas-grekas
G-Rath G-Rath
Symfony vulnerable to command execution hijack on Windows with Process class High
CVE-2024-51736 was published for symfony/process (Composer) Nov 6, 2024
nicolas-grekas Credited to nicolas-grekas, haqpl, and paulblei haqpl haqpl
paulblei paulblei
Symfony vulnerable to open redirect via browser-sanitized URLs Low
CVE-2024-50345 was published for symfony/http-foundation (Composer) Nov 6, 2024
nicolas-grekas Credited to nicolas-grekas and zer0yu zer0yu zer0yu
Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient Low
CVE-2024-50342 was published for symfony/http-client (Composer) Nov 6, 2024
nicolas-grekas Credited to nicolas-grekas, zozs, and cs278 zozs zozs
cs278 cs278
Symfony potential Cross-site Scripting in WebhookController Moderate
CVE-2023-46735 was published for symfony/symfony (Composer) Nov 12, 2023
maxime-aknin Credited to maxime-aknin and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Moderate
CVE-2023-46734 was published for symfony/symfony (Composer) Nov 12, 2023
Rudloff Credited to Rudloff and nicolas-grekas nicolas-grekas nicolas-grekas
Symfony storing cookie headers in HttpCache Moderate
CVE-2022-24894 was published for symfony/http-kernel (Composer) Feb 1, 2023
nicolas-grekas Credited to nicolas-grekas and shyim shyim shyim
Symfony vulnerable to Session Fixation of CSRF tokens Moderate
CVE-2022-24895 was published for symfony/security-bundle (Composer) Feb 1, 2023
nicolas-grekas Credited to nicolas-grekas and lavish lavish lavish
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database