Security Flaw in Symfony PHP Framework
CVE-2026-48784

5.1MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-48784?

A path traversal vulnerability in the Symfony PHP framework affects URL generation functionality. Specifically, prior versions of UrlGenerator::doGenerate() mismanaged dot-segment encoding, failing to accurately interpret chained '../' and './' segments. This oversight allows for the crafting of attacker-controlled route parameters that can generate misleading URLs. The flaw is mitigated in the latest versions: 5.4.53, 6.4.41, 7.4.13, and 8.0.13, which incorporate improved handling of URL normalization according to RFC 3986.

Affected Version(s)

routing < 5.4.53 < 5.4.53

routing >= 6.0.0-BETA1, < 6.4.41 < 6.0.0-BETA1, 6.4.41

routing >= 7.0.0-BETA1, < 7.4.13 < 7.0.0-BETA1, 7.4.13

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.