CERTFR-2026-AVI-0617
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Symfony. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une injection de code indirecte à distance (XSS) et une injection de requêtes illégitimes par rebond (CSRF).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Symfony | Symfony | symfony/symfony versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/symfony versions <5.4.x antérieures à 5.4.52 pour composer | ||
| Symfony | Symfony | symfony/symfony versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/mime versions <5.4.x antérieures à 5.4.52 pour composer | ||
| Symfony | Symfony | symfony/yaml versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/monolog-bridge versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/twilio-notifier versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/runtime versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/yaml versions <5.4.x antérieures à 5.4.52 pour composer | ||
| Symfony | Symfony | symfony/twilio-notifier versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/yaml versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/html-sanitizer versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/html-sanitizer versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/mime versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/yaml versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/mailtrap-mailer versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/mailtrap-mailer versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/monolog-bridge versions <5.4.x antérieures à 5.4.52 pour composer | ||
| Symfony | Symfony | symfony/symfony versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/lox24-notifier versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/lox24-notifier versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/mailjet-mailer versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/json-path versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/monolog-bridge versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/twilio-notifier versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/runtime versions antérieures à 5.4.52 pour composer | ||
| Symfony | Symfony | symfony/mailjet-mailer versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/runtime versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/runtime versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/symfony versions antérieures à 5.4.52 pour composer | ||
| Symfony | Symfony | symfony/monolog-bridge versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/mime versions antérieures à 6.4.40 pour composer | ||
| Symfony | Symfony | symfony/mime versions antérieures à 8.0.12 pour composer | ||
| Symfony | Symfony | symfony/html-sanitizer versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/mailjet-mailer versions antérieures à 7.4.12 pour composer | ||
| Symfony | Symfony | symfony/json-path versions antérieures à 7.4.12 pour composer |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "symfony/symfony versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/symfony versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/symfony versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mime versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/yaml versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/monolog-bridge versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/twilio-notifier versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/runtime versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/yaml versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/twilio-notifier versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/yaml versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/html-sanitizer versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/html-sanitizer versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mime versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/yaml versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mailtrap-mailer versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mailtrap-mailer versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/monolog-bridge versions \u003c5.4.x ant\u00e9rieures \u00e0 5.4.52 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/symfony versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/lox24-notifier versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/lox24-notifier versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mailjet-mailer versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/json-path versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/monolog-bridge versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/twilio-notifier versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/runtime versions ant\u00e9rieures \u00e0 5.4.52 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mailjet-mailer versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/runtime versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/runtime versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/symfony versions ant\u00e9rieures \u00e0 5.4.52 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/monolog-bridge versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mime versions ant\u00e9rieures \u00e0 6.4.40 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mime versions ant\u00e9rieures \u00e0 8.0.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/html-sanitizer versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/mailjet-mailer versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
},
{
"description": "symfony/json-path versions ant\u00e9rieures \u00e0 7.4.12 pour composer",
"product": {
"name": "Symfony",
"vendor": {
"name": "Symfony",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-45304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45304"
},
{
"name": "CVE-2026-46626",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-46626"
},
{
"name": "CVE-2026-45077",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45077"
},
{
"name": "CVE-2026-45753",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45753"
},
{
"name": "CVE-2026-45756",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45756"
},
{
"name": "CVE-2026-45755",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45755"
},
{
"name": "CVE-2026-45305",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45305"
},
{
"name": "CVE-2026-45754",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45754"
},
{
"name": "CVE-2026-45070",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45070"
},
{
"name": "CVE-2026-47212",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47212"
}
],
"initial_release_date": "2026-05-20T00:00:00",
"last_revision_date": "2026-05-20T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0617",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Symfony. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une injection de code indirecte \u00e0 distance (XSS) et une injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Symfony",
"vendor_advisories": [
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-vqc8-7275-q272",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-vqc8-7275-q272"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-64hg-93w9-fc35",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-64hg-93w9-fc35"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-fqc7-9xjw-jrh3",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-fqc7-9xjw-jrh3"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-9frc-8383-795m",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-8v8v-g73j-492j",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-8v8v-g73j-492j"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-59f3-vp2f-mp9w",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-59f3-vp2f-mp9w"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-4qpc-3hr4-r2p4",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-hhg7-c65m-h7ff",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-55rj-x2vc-4whq",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-55rj-x2vc-4whq"
},
{
"published_at": "2026-05-20",
"title": "Bulletin de s\u00e9curit\u00e9 Symfony GHSA-m7v2-7gxm-vc2v",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-m7v2-7gxm-vc2v"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…