Vulnerability in Symfony PHP Framework Affects Multiple Versions
CVE-2026-47767

8.3HIGH

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-47767?

The Symfony PHP framework has a vulnerability affecting multiple versions that may lead to improper input validation. Specifically, between versions 5.4.46 and 5.4.52, as well as 6.4.40, 7.4.12, and 8.0.12, a crafted query string could potentially leave the $_GET superglobal empty while still carrying attacker-controlled flags in $_SERVER['argv']. This inconsistency between parse_str() and web SAPI may allow attackers to manipulate the application environment variables, such as APP_ENV and APP_DEBUG. It is crucial for users of affected Symfony versions to upgrade to the patched versions to ensure the integrity and security of their applications. For more details on the fixes, refer to the official Symfony releases.

Affected Version(s)

runtime >= 5.4.46, < 5.4.52 < 5.4.46, 5.4.52

runtime >= 6.4.14, < 6.4.40 < 6.4.14, 6.4.40

runtime >= 7.1.7, < 7.4.12 < 7.1.7, 7.4.12

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.