Vulnerability in Symfony PHP Framework Affecting IPv6 Address Handling
CVE-2026-48736
6.9MEDIUM
What is CVE-2026-48736?
The Symfony PHP framework has a vulnerability in its handling of IPv6 addresses, where certain transition prefixes are omitted by NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS. This oversight allows attacker-controlled URLs to misrepresent private IPv4 targets in a way that bypasses the protective checks of IpUtils::isPrivateIp(). The issue affects multiple versions, and it has been addressed in the latest releases for enhanced security.
Affected Version(s)
http-client >= 5.4.0, < 5.4.53
http-foundation >= 6.0.0-BETA1, < 6.4.41 < 6.0.0-BETA1, 6.4.41
http-foundation >= 7.0.0-BETA1, < 7.4.13 < 7.0.0-BETA1, 7.4.13
