Encoding Flaw in Symfony Polyfill Impacts Multilingual Domain Name Processing
CVE-2026-46644

6.9MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-46644?

The Symfony Polyfill intl-idn prior to version 1.38.1 is vulnerable to an encoding flaw, where the polyfill accepts xn-- labels with empty Punycode payloads or those decoding to ASCII-only characters. This non-compliance with UTS #46 revision 33 allows for the potential of unequal domain names being misinterpreted as equal. Such an issue may lead to critical vulnerabilities such as blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications relying on this polyfill for hostname canonicalization and comparison. Users are advised to upgrade to version 1.38.1 or later to mitigate these risks.

Affected Version(s)

polyfill >= 1.17.1, < 1.38.1

polyfill-intl-idn >= 1.17.1, < 1.38.1

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.