PHP Framework Vulnerability in Symfony Affecting Multiple Versions
CVE-2026-45073

6.3MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-45073?

Prior to specific versions, the Symfony PHP framework contains a vulnerability in the PdoAdapter::doClear() method. This method constructs a DELETE SQL statement using a namespace derived from user-supplied input. Because it does not properly bind or escape this input, an attacker able to manipulate the input can alter the intended behavior of the SQL statement, potentially allowing unauthorized data deletions or modifications. This flaw has been rectified in the fixed releases of Symfony.

Affected Version(s)

symfony < 5.4.52 < 5.4.52

symfony >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

symfony >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.