X-MOM Webhook Signature Parsing Vulnerability in Symfony PHP Framework
CVE-2026-48747
6.3MEDIUM
What is CVE-2026-48747?
A vulnerability exists in the Symfony PHP framework's MailomatRequestParser::validateSignature() function, where the X-MOM-Webhook-Signature is incorrectly parsed. This flaw allows for a downgrade of the signature algorithm, which could lead to authentication bypasses and compromise the integrity of webhook communications. The issue has been resolved in Symfony versions 7.4.13 and 8.0.13, which enforce the correct SHA-256 webhook signature as documented, ensuring enhanced security against signature manipulation.
Affected Version(s)
mailomat-mailer >= 7.2.0, < 7.4.12 < 7.2.0, 7.4.12
mailomat-mailer >= 8.0.0-BETA1, < 8.0.13 < 8.0.0-BETA1, 8.0.13
symfony >= 7.2.0, < 7.4.12 < 7.2.0, 7.4.12
