Security Flaw in Symfony PHP Framework
CVE-2026-48784
5.1MEDIUM
What is CVE-2026-48784?
A path traversal vulnerability in the Symfony PHP framework affects URL generation functionality. Specifically, prior versions of UrlGenerator::doGenerate() mismanaged dot-segment encoding, failing to accurately interpret chained '../' and './' segments. This oversight allows for the crafting of attacker-controlled route parameters that can generate misleading URLs. The flaw is mitigated in the latest versions: 5.4.53, 6.4.41, 7.4.13, and 8.0.13, which incorporate improved handling of URL normalization according to RFC 3986.
Affected Version(s)
routing < 5.4.53 < 5.4.53
routing >= 6.0.0-BETA1, < 6.4.41 < 6.0.0-BETA1, 6.4.41
routing >= 7.0.0-BETA1, < 7.4.13 < 7.0.0-BETA1, 7.4.13
