CVE-2026-24739
CVE-2026-24739 is a medium-severity vulnerability in Sensiolabs Symfony with a CVSS 3.x base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-88.
Key facts
- Severity: Medium (CVSS 3.x base score 6.3)
- EPSS exploit prediction: 0% (10th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-4873
- Weakness: CWE-88
- Affected product: Sensiolabs Symfony
- Published:
- Last modified:
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
Frequently asked questions
- What is CVE-2026-24739?
- Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.
- How severe is CVE-2026-24739?
- CVE-2026-24739 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over local access with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability high.
- Is CVE-2026-24739 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (10th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-24739?
- CVE-2026-24739 affects Sensiolabs Symfony. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-24739?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-24739 have an EU (EUVD) identifier?
- Yes. CVE-2026-24739 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-4873.
- When was CVE-2026-24739 published?
- CVE-2026-24739 was published on 2026-01-28 and last updated on 2026-06-17.
References
- https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
- https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
- https://github.com/symfony/symfony/issues/62921
- https://github.com/symfony/symfony/pull/63164
- https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
Affected products (1)
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
More vulnerabilities in Sensiolabs Symfony
- CVE-2019-18889 — Critical (CVSS 9.8): An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing…
- CVE-2019-11325 — Critical (CVSS 9.8): An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes…
- CVE-2017-11365 — Critical (CVSS 9.8): Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and…
- CVE-2019-10913 — Critical (CVSS 9.8): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP…
- CVE-2019-10910 — Critical (CVSS 9.8): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when…
- CVE-2018-11407 — Critical (CVSS 9.8): An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7,…
All CVEs affecting Sensiolabs Symfony →
Other CWE-88 (Argument Injection) vulnerabilities
- CVE-2026-57572 — Critical (CVSS 10.0): Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, the Docker API server accepted…
- CVE-2026-40281 — Critical (CVSS 10.0): Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint…
- CVE-2023-6269 — Critical (CVSS 10.0): An argument injection vulnerability has been identified in the administrative web interface of the Atos Unify…
- CVE-2007-0882 — Critical (CVSS 10.0): Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11)…
- CVE-2004-0480 — Critical (CVSS 10.0): Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via…
- CVE-1999-0113 — Critical (CVSS 10.0): Some implementations of rlogin allow root access if given a -froot parameter.