Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (laravel/framework-v8.83.25 version) |
Remediation Possible** |
| CVE-2024-52301 |
 High |
7.5 |
laravel/framework-v8.83.25 |
Direct |
laravel/framework - v7.30.7,laravel/framework - v11.31.0,laravel/framework - v8.83.28,laravel/framework - v9.52.17,laravel/framework - v10.48.23,laravel/framework - v6.20.45 |
❌ |
| CVE-2025-64500 |
High |
7.3 |
symfony/http-foundation-v5.4.20 |
Transitive |
N/A* |
❌ |
| CVE-2025-22145 |
High |
7.3 |
nesbot/carbon-2.62.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-45070 |
 Medium |
6.5 |
symfony/mime-v5.4.19 |
Transitive |
N/A* |
❌ |
| CVE-2026-45067 |
Medium |
6.5 |
symfony/mime-v5.4.19 |
Transitive |
N/A* |
❌ |
| CVE-2025-27515 |
Medium |
6.5 |
laravel/framework-v8.83.25 |
Direct |
laravel/framework - v12.1.1,laravel/framework - v10.48.29,laravel/framework - v11.44.1 |
❌ |
| CVE-2025-46734 |
Medium |
6.4 |
league/commonmark-2.3.5 |
Transitive |
N/A* |
❌ |
| CVE-2026-24739 |
Medium |
6.3 |
symfony/process-v5.4.11 |
Transitive |
N/A* |
❌ |
| CVE-2026-45065 |
Medium |
6.1 |
symfony/routing-v5.4.11 |
Transitive |
N/A* |
❌ |
| CVE-2026-46644 |
Medium |
5.8 |
symfony/polyfill-intl-idn-v1.27.0 |
Transitive |
N/A* |
❌ |
| CVE-2026-33347 |
Medium |
5.8 |
league/commonmark-2.3.5 |
Transitive |
N/A* |
❌ |
| CVE-2026-30838 |
Medium |
4.1 |
league/commonmark-2.3.5 |
Transitive |
N/A* |
❌ |
| CVE-2024-50345 |
 Low |
3.1 |
symfony/http-foundation-v5.4.20 |
Transitive |
N/A* |
❌ |
| CVE-2024-51736 |
Low |
0.0 |
symfony/process-v5.4.11 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-52301
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-gv7v-rgg6-548h
Release Date: 2024-11-12
Fix Resolution: laravel/framework - v7.30.7,laravel/framework - v11.31.0,laravel/framework - v8.83.28,laravel/framework - v9.52.17,laravel/framework - v10.48.23,laravel/framework - v6.20.45
Step up your Open Source Security Game with Mend here
CVE-2025-64500
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/http-foundation-v5.4.20 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/http-foundation - v6.4.29,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
Step up your Open Source Security Game with Mend here
CVE-2025-22145
Vulnerable Library - nesbot/carbon-2.62.1
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ nesbot/carbon-2.62.1 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: nesbot/carbon - 2.72.6,nesbot/carbon - 3.8.4
Step up your Open Source Security Game with Mend here
CVE-2026-45070
Vulnerable Library - symfony/mime-v5.4.19
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/a858429a9c704edc53fe057228cf9ca282ba48eb
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/mime-v5.4.19 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (symfony/symfony@e62ea21) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45070
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.10,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38
Step up your Open Source Security Game with Mend here
CVE-2026-45067
Vulnerable Library - symfony/mime-v5.4.19
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/a858429a9c704edc53fe057228cf9ca282ba48eb
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/mime-v5.4.19 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (symfony/symfony@dc2dbd2) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-45067
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.10
Step up your Open Source Security Game with Mend here
CVE-2025-27515
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
- ❌ laravel/framework-v8.83.25 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-78fx-h6xr-vch4
Release Date: 2025-03-05
Fix Resolution: laravel/framework - v12.1.1,laravel/framework - v10.48.29,laravel/framework - v11.44.1
Step up your Open Source Security Game with Mend here
CVE-2025-46734
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Publish Date: 2025-05-05
URL: CVE-2025-46734
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3527-qv2q-pfvx
Release Date: 2025-05-05
Fix Resolution: league/commonmark - 2.7.0
Step up your Open Source Security Game with Mend here
CVE-2026-24739
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/process-v5.4.11 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably "=") as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. "rmdir", "del", etc.) with a path argument containing "=", the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing "=" (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via "MSYS2_ARG_CONV_EXCL"), understanding this may affect other tooling behavior.
Publish Date: 2026-01-28
URL: CVE-2026-24739
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r39x-jcww-82v6
Release Date: 2026-01-28
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.5,https://github.com/symfony/symfony.git - v7.3.11,https://github.com/symfony/symfony.git - v5.4.51,https://github.com/symfony/symfony.git - v7.4.5,https://github.com/symfony/symfony.git - v6.4.33
Step up your Open Source Security Game with Mend here
CVE-2026-45065
Vulnerable Library - symfony/routing-v5.4.11
Maps an HTTP request to a set of configuration variables
Library home page: https://api.github.com/repos/symfony/routing/zipball/3e01ccd9b2a3a4167ba2b3c53612762300300226
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/routing-v5.4.11 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description Symfony routes can declare a requirements regex per path parameter, e.g. a route "/{_locale}/blog" with "requirements: { _locale: 'en|fr|de' }". The Twig "path()" / "url()" helpers (backed by "UrlGenerator") validate supplied parameter values against that regex before building the URL. UrlGenerator constructs the validation pattern as "'#^'.$req.'$#'", where "$req" is the raw requirement string. For a requirement expressed as an alternation, e.g. "_locale: 'ar|bg|...|vi|...|zh_CN'" (very common), "^" and "$" anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like "/evil.com" satisfies the requirement (because it contains "vi"), and the generated path becomes "//evil.com/...": a protocol-relative URL the browser navigates off-site. Resolution The "UrlGenerator" class now wraps the requirement in a non-capturing group so the "^" and "$" anchors apply to the whole alternation. The patch for this issue is available "here" (symfony/symfony@bcf487c) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-28
URL: CVE-2026-45065
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.9,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v7.4.9,https://github.com/symfony/symfony.git - v5.4.52
Step up your Open Source Security Game with Mend here
CVE-2026-46644
Vulnerable Library - symfony/polyfill-intl-idn-v1.27.0
Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
Library home page: https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/639084e360537a19f9ee352433b84ce831f3d2da
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- symfony/mime-v5.4.19
- ❌ symfony/polyfill-intl-idn-v1.27.0 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description "symfony/polyfill-intl-idn" provides a userland implementation of "idn_to_utf8()" and "idn_to_ascii()" for runtimes that lack the "intl" extension. Its "Idn::process()" method decodes labels prefixed with "xn--" using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point. As a consequence, "xn--" labels whose Punycode payload is empty ("xn--") or decodes to a string made of only ASCII code points (e.g. "xn--kc1zs4-") are accepted by the polyfill while PHP's native "ext-intl" rejects them with "IDNA_ERROR_INVALID_ACE_LABEL". Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224). Example with "IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII": | Input | Polyfill output | Native "ext-intl" output | | --- | --- | --- | | "poc.xn--kc1zs4-.com" | "poc.kc1zs4.com" | "false" ("errors=1024") | | "poc.kc1zs4.xn--" | "poc.kc1zs4." | "false" ("errors=1024") | Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency. Resolution "Idn::process()" now records "IDNA_ERROR_INVALID_ACE_LABEL" when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native "ext-intl" behaviour and UTS #46 revision 33. The patch for this issue is available "here" (symfony/polyfill@1be936e) for branch 1.x. Credits Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-46644
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xf4-cg6j-vhgq
Release Date: 2026-05-28
Fix Resolution: symfony/polyfill-intl-idn - v1.38.1,symfony/polyfill - v1.38.1
Step up your Open Source Security Game with Mend here
CVE-2026-33347
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Publish Date: 2026-03-24
URL: CVE-2026-33347
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hh8v-hgvp-g3f5
Release Date: 2026-03-20
Fix Resolution: league/commonmark - 2.8.2
Step up your Open Source Security Game with Mend here
CVE-2026-30838
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ league/commonmark-2.3.5 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Publish Date: 2026-03-07
URL: CVE-2026-30838
CVSS 3 Score Details (4.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4v6x-c7xx-hw9f
Release Date: 2026-03-07
Fix Resolution: league/commonmark - 2.8.1
Step up your Open Source Security Game with Mend here
CVE-2024-50345
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/http-foundation-v5.4.20 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,symfony/http-foundation - v7.1.7,symfony/http-foundation - v6.4.14
Step up your Open Source Security Game with Mend here
CVE-2024-51736
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
- laravel/framework-v8.83.25 (Root Library)
- ❌ symfony/process-v5.4.11 (Vulnerable Library)
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qq5c-677p-737q
Release Date: 2024-11-06
Fix Resolution: symfony/symfony - v6.4.14,symfony/process - v7.1.7,symfony/process - v5.4.46,symfony/process - v6.4.14,symfony/symfony - v7.1.7,symfony/symfony - v5.4.46
Step up your Open Source Security Game with Mend here
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gv7v-rgg6-548h
Release Date: 2024-11-12
Fix Resolution: laravel/framework - v7.30.7,laravel/framework - v11.31.0,laravel/framework - v8.83.28,laravel/framework - v9.52.17,laravel/framework - v10.48.23,laravel/framework - v6.20.45
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the "Request" class improperly interprets some "PATH_INFO" in a way that leads to representing some URLs with a path that doesn't start with a "/". This can allow bypassing some access control rules that are built with this "/"-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the "Request" class now ensures that URL paths always start with a "/".
Publish Date: 2025-11-12
URL: CVE-2025-64500
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3rg7-wf37-54rm
Release Date: 2025-11-12
Fix Resolution: symfony/symfony - v7.3.7,symfony/http-foundation - v6.4.29,symfony/http-foundation - v7.3.7,symfony/symfony - v6.4.29
Step up your Open Source Security Game with Mend here
Vulnerable Library - nesbot/carbon-2.62.1
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: nesbot/carbon - 2.72.6,nesbot/carbon - 3.8.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/mime-v5.4.19
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/a858429a9c704edc53fe057228cf9ca282ba48eb
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (symfony/symfony@e62ea21) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45070
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.10,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/mime-v5.4.19
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/a858429a9c704edc53fe057228cf9ca282ba48eb
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (symfony/symfony@dc2dbd2) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-45067
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-78fx-h6xr-vch4
Release Date: 2025-03-05
Fix Resolution: laravel/framework - v12.1.1,laravel/framework - v10.48.29,laravel/framework - v11.44.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.
Publish Date: 2025-05-05
URL: CVE-2025-46734
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3527-qv2q-pfvx
Release Date: 2025-05-05
Fix Resolution: league/commonmark - 2.7.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably "=") as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. "rmdir", "del", etc.) with a path argument containing "=", the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing "=" (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via "MSYS2_ARG_CONV_EXCL"), understanding this may affect other tooling behavior.
Publish Date: 2026-01-28
URL: CVE-2026-24739
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r39x-jcww-82v6
Release Date: 2026-01-28
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.5,https://github.com/symfony/symfony.git - v7.3.11,https://github.com/symfony/symfony.git - v5.4.51,https://github.com/symfony/symfony.git - v7.4.5,https://github.com/symfony/symfony.git - v6.4.33
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/routing-v5.4.11
Maps an HTTP request to a set of configuration variables
Library home page: https://api.github.com/repos/symfony/routing/zipball/3e01ccd9b2a3a4167ba2b3c53612762300300226
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description Symfony routes can declare a requirements regex per path parameter, e.g. a route "/{_locale}/blog" with "requirements: { _locale: 'en|fr|de' }". The Twig "path()" / "url()" helpers (backed by "UrlGenerator") validate supplied parameter values against that regex before building the URL. UrlGenerator constructs the validation pattern as "'#^'.$req.'$#'", where "$req" is the raw requirement string. For a requirement expressed as an alternation, e.g. "_locale: 'ar|bg|...|vi|...|zh_CN'" (very common), "^" and "$" anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like "/evil.com" satisfies the requirement (because it contains "vi"), and the generated path becomes "//evil.com/...": a protocol-relative URL the browser navigates off-site. Resolution The "UrlGenerator" class now wraps the requirement in a non-capturing group so the "^" and "$" anchors apply to the whole alternation. The patch for this issue is available "here" (symfony/symfony@bcf487c) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-28
URL: CVE-2026-45065
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.9,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v7.4.9,https://github.com/symfony/symfony.git - v5.4.52
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/polyfill-intl-idn-v1.27.0
Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
Library home page: https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/639084e360537a19f9ee352433b84ce831f3d2da
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Description "symfony/polyfill-intl-idn" provides a userland implementation of "idn_to_utf8()" and "idn_to_ascii()" for runtimes that lack the "intl" extension. Its "Idn::process()" method decodes labels prefixed with "xn--" using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point. As a consequence, "xn--" labels whose Punycode payload is empty ("xn--") or decodes to a string made of only ASCII code points (e.g. "xn--kc1zs4-") are accepted by the polyfill while PHP's native "ext-intl" rejects them with "IDNA_ERROR_INVALID_ACE_LABEL". Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224). Example with "IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII": | Input | Polyfill output | Native "ext-intl" output | | --- | --- | --- | | "poc.xn--kc1zs4-.com" | "poc.kc1zs4.com" | "false" ("errors=1024") | | "poc.kc1zs4.xn--" | "poc.kc1zs4." | "false" ("errors=1024") | Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency. Resolution "Idn::process()" now records "IDNA_ERROR_INVALID_ACE_LABEL" when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native "ext-intl" behaviour and UTS #46 revision 33. The patch for this issue is available "here" (symfony/polyfill@1be936e) for branch 1.x. Credits Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-05-31
URL: CVE-2026-46644
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2xf4-cg6j-vhgq
Release Date: 2026-05-28
Fix Resolution: symfony/polyfill-intl-idn - v1.38.1,symfony/polyfill - v1.38.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Publish Date: 2026-03-24
URL: CVE-2026-33347
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hh8v-hgvp-g3f5
Release Date: 2026-03-20
Fix Resolution: league/commonmark - 2.8.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - league/commonmark-2.3.5
Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and GitHub-Flavored Markdown (GFM)
Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/84d74485fdb7074f4f9dd6f02ab957b1de513257
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. This issue has been patched in version 2.8.1.
Publish Date: 2026-03-07
URL: CVE-2026-30838
CVSS 3 Score Details (4.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4v6x-c7xx-hw9f
Release Date: 2026-03-07
Fix Resolution: league/commonmark - 2.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,symfony/http-foundation - v7.1.7,symfony/http-foundation - v6.4.14
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qq5c-677p-737q
Release Date: 2024-11-06
Fix Resolution: symfony/symfony - v6.4.14,symfony/process - v7.1.7,symfony/process - v5.4.46,symfony/process - v6.4.14,symfony/symfony - v7.1.7,symfony/symfony - v5.4.46
Step up your Open Source Security Game with Mend here