Injection Vulnerability in Symfony PHP Framework
CVE-2026-45070

6.3MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45070?

The Symfony PHP framework is affected by a header injection vulnerability due to improper validation in the ParameterizedHeader class. Prior to versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12, it allowed untrusted input in parameter names, which could facilitate the inclusion of CRLF or non-token bytes, enabling attackers to inject arbitrary headers into structured mail headers. This flaw raises significant concerns for web applications relying on Symfony for handling Content-Type or Content-Disposition headers, highlighting the importance of upgrading to the patched versions.

Affected Version(s)

mime < 5.4.52 < 5.4.52

mime >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

mime >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.