Vulnerability in Symfony PHP Framework Affecting IPv6 Address Handling
CVE-2026-48736

6.9MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-48736?

The Symfony PHP framework has a vulnerability in its handling of IPv6 addresses, where certain transition prefixes are omitted by NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS. This oversight allows attacker-controlled URLs to misrepresent private IPv4 targets in a way that bypasses the protective checks of IpUtils::isPrivateIp(). The issue affects multiple versions, and it has been addressed in the latest releases for enhanced security.

Affected Version(s)

http-client >= 5.4.0, < 5.4.53

http-foundation >= 6.0.0-BETA1, < 6.4.41 < 6.0.0-BETA1, 6.4.41

http-foundation >= 7.0.0-BETA1, < 7.4.13 < 7.0.0-BETA1, 7.4.13

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.