Injection Vulnerability in Symfony PHP Framework
CVE-2026-45070
6.3MEDIUM
What is CVE-2026-45070?
The Symfony PHP framework is affected by a header injection vulnerability due to improper validation in the ParameterizedHeader class. Prior to versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12, it allowed untrusted input in parameter names, which could facilitate the inclusion of CRLF or non-token bytes, enabling attackers to inject arbitrary headers into structured mail headers. This flaw raises significant concerns for web applications relying on Symfony for handling Content-Type or Content-Disposition headers, highlighting the importance of upgrading to the patched versions.
Affected Version(s)
mime < 5.4.52 < 5.4.52
mime >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40
mime >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
