X-MOM Webhook Signature Parsing Vulnerability in Symfony PHP Framework
CVE-2026-48747

6.3MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-48747?

A vulnerability exists in the Symfony PHP framework's MailomatRequestParser::validateSignature() function, where the X-MOM-Webhook-Signature is incorrectly parsed. This flaw allows for a downgrade of the signature algorithm, which could lead to authentication bypasses and compromise the integrity of webhook communications. The issue has been resolved in Symfony versions 7.4.13 and 8.0.13, which enforce the correct SHA-256 webhook signature as documented, ensuring enhanced security against signature manipulation.

Affected Version(s)

mailomat-mailer >= 7.2.0, < 7.4.12 < 7.2.0, 7.4.12

mailomat-mailer >= 8.0.0-BETA1, < 8.0.13 < 8.0.0-BETA1, 8.0.13

symfony >= 7.2.0, < 7.4.12 < 7.2.0, 7.4.12

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.