URL Manipulation Vulnerability in Symfony PHP Framework
CVE-2026-45065

2.3LOW

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-45065?

A vulnerability exists in prior versions of the Symfony PHP framework where the UrlGenerator does not properly validate route parameters, allowing attackers to create protocol-relative off-site URLs. This issue could be exploited by crafting specific route parameters that bypass validation checks. The vulnerability is addressed in the latest patched versions: 5.4.52, 6.4.40, 7.4.12, and 8.0.12, and users are advised to upgrade to prevent potential exploitation.

Affected Version(s)

symfony < 5.4.52 < 5.4.52

symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.