Vulnerability in Symfony PHP Framework Affects Multiple Versions
CVE-2026-47767
What is CVE-2026-47767?
The Symfony PHP framework has a vulnerability affecting multiple versions that may lead to improper input validation. Specifically, between versions 5.4.46 and 5.4.52, as well as 6.4.40, 7.4.12, and 8.0.12, a crafted query string could potentially leave the $_GET superglobal empty while still carrying attacker-controlled flags in $_SERVER['argv']. This inconsistency between parse_str() and web SAPI may allow attackers to manipulate the application environment variables, such as APP_ENV and APP_DEBUG. It is crucial for users of affected Symfony versions to upgrade to the patched versions to ensure the integrity and security of their applications. For more details on the fixes, refer to the official Symfony releases.
Affected Version(s)
runtime >= 5.4.46, < 5.4.52 < 5.4.46, 5.4.52
runtime >= 6.4.14, < 6.4.40 < 6.4.14, 6.4.40
runtime >= 7.1.7, < 7.4.12 < 7.1.7, 7.4.12
