Every CVE whose affected-product data names Sensiolabs Symfony, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (61)
CVE-2019-18889 — CVSS 9.8 (critical): An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter…
CVE-2017-11365 — CVSS 9.8 (critical): Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and…
CVE-2019-11325 — CVSS 9.8 (critical): An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some…
CVE-2019-10913 — CVSS 9.8 (critical): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs…
CVE-2019-10910 — CVSS 9.8 (critical): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user…
CVE-2018-11407 — CVSS 9.8 (critical): An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before…
CVE-2016-2403 — CVSS 9.8 (critical): Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid…
CVE-2018-11406 — CVSS 8.8 (high): An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before…
CVE-2019-18887 — CVSS 8.1 (high): An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner…
CVE-2018-11385 — CVSS 8.1 (high): An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before…
CVE-2022-23601 — CVSS 8.1 (high): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a…
CVE-2020-15094 — CVSS 8.0 (high): In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache…
CVE-2020-5275 — CVSS 7.6 (high): In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's…
CVE-2017-16654 — CVSS 7.5 (high): An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various…
CVE-2019-18888 — CVSS 7.5 (high): An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an…
CVE-2015-8125 — CVSS 7.5 (high): Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a…
CVE-2016-1902 — CVSS 7.5 (high): The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly…
CVE-2016-4423 — CVSS 7.5 (high): The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before…
CVE-2013-1348 — CVSS 7.5 (high): The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different…
CVE-2013-1397 — CVSS 7.5 (high): Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to…
CVE-2019-10911 — CVSS 7.5 (high): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an…
CVE-2025-64500 — CVSS 7.3 (high): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component…
CVE-2018-14774 — CVSS 7.2 (high): An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13…
CVE-2019-10912 — CVSS 7.1 (high): In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain…
CVE-2021-32693 — CVSS 6.8 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall…
CVE-2015-8124 — CVSS 6.8 (medium): Session fixation vulnerability in the "Remember Me" login feature in Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before…
CVE-2012-6432 — CVSS 6.8 (medium): Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to…
CVE-2015-2308 — CVSS 6.8 (medium): Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x…
CVE-2017-16790 — CVSS 6.5 (medium): An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. When a form is submitted by the user…
CVE-2021-41268 — CVSS 6.5 (medium): Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP…
CVE-2023-46733 — CVSS 6.5 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and…
CVE-2021-41267 — CVSS 6.5 (medium): Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP…
CVE-2021-41270 — CVSS 6.5 (medium): Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and…
CVE-2018-14773 — CVSS 6.5 (medium): An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through…
CVE-2012-6431 — CVSS 6.4 (medium): Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote…
CVE-2022-24895 — CVSS 6.3 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by…
CVE-2026-24739 — CVSS 6.3 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11…
CVE-2013-4752 — CVSS 6.1 (medium): Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component…
CVE-2017-16652 — CVSS 6.1 (medium): An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13…
CVE-2017-18343 — CVSS 6.1 (medium): The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key…
CVE-2018-11408 — CVSS 6.1 (medium): The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before…
CVE-2018-12040 — CVSS 6.1 (medium): Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject…
CVE-2018-19790 — CVSS 6.1 (medium): An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before…
CVE-2023-46734 — CVSS 6.1 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and…
CVE-2023-46735 — CVSS 6.1 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to…
CVE-2018-11386 — CVSS 5.9 (medium): An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x…
CVE-2017-16653 — CVSS 5.9 (medium): An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF…
CVE-2022-24894 — CVSS 5.9 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a…
CVE-2019-10909 — CVSS 5.4 (medium): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not…
CVE-2019-18886 — CVSS 5.3 (medium): An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different…
CVE-2018-19789 — CVSS 5.3 (medium): An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9…
CVE-2021-21424 — CVSS 5.3 (medium): Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was…
CVE-2012-5574 — CVSS 5.0 (medium): lib/form/sfForm.class.php in Symfony CMS before 1.4.20 allows remote attackers to read arbitrary files via a crafted upload request.
CVE-2013-5958 — CVSS 5.0 (medium): The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote…
CVE-2020-5274 — CVSS 4.6 (medium): In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it…
CVE-2015-4050 — CVSS 4.3 (medium): FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0…
CVE-2012-2667 — CVSS 4.3 (medium): Session fixation vulnerability in lib/user/sfBasicSecurityUser.class.php in SensioLabs Symfony before 1.4.18 allows remote attackers to…
CVE-2024-50345 — CVSS 3.1 (low): symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The…
CVE-2020-5255 — CVSS 2.6 (low): In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can…
CVE-2024-51736 — CVSS 0.0 (none): Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file…