URL Manipulation Vulnerability in Symfony PHP Framework
CVE-2026-45065
2.3LOW
What is CVE-2026-45065?
A vulnerability exists in prior versions of the Symfony PHP framework where the UrlGenerator does not properly validate route parameters, allowing attackers to create protocol-relative off-site URLs. This issue could be exploited by crafting specific route parameters that bypass validation checks. The vulnerability is addressed in the latest patched versions: 5.4.52, 6.4.40, 7.4.12, and 8.0.12, and users are advised to upgrade to prevent potential exploitation.
Affected Version(s)
symfony < 5.4.52 < 5.4.52
symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40
symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
