Encoding Flaw in Symfony Polyfill Impacts Multilingual Domain Name Processing
CVE-2026-46644
6.9MEDIUM
What is CVE-2026-46644?
The Symfony Polyfill intl-idn prior to version 1.38.1 is vulnerable to an encoding flaw, where the polyfill accepts xn-- labels with empty Punycode payloads or those decoding to ASCII-only characters. This non-compliance with UTS #46 revision 33 allows for the potential of unequal domain names being misinterpreted as equal. Such an issue may lead to critical vulnerabilities such as blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications relying on this polyfill for hostname canonicalization and comparison. Users are advised to upgrade to version 1.38.1 or later to mitigate these risks.
Affected Version(s)
polyfill >= 1.17.1, < 1.38.1
polyfill-intl-idn >= 1.17.1, < 1.38.1
