CVE-2026-45754
Symfony: Mailjet Mailer Webhook Parser Never Verifies the Configured Secret โ Unauthenticated Webhook Event Injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
| CWE | CWE-287 CWE-306 |
| Vendor | symfony |
| Product | symfony |
| Published | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for symfony symfony
Be the first to know when new unknown vulnerabilities affecting symfony symfony are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
symfony / symfony
>= 6.4.0, < 6.4.40 >= 7.0.0-BETA1, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12
symfony / lox24-notifier
>= 7.1.0-BETA1, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12
symfony / mailjet-mailer
>= 6.4.0, < 6.4.40 >= 7.0.0-BETA1, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12
References
github.com: https://github.com/symfony/symfony/security/advisories/GHSA-64hg-93w9-fc35 github.com: https://github.com/symfony/symfony/commit/3e52bf5ab733ee32e35eeeeb2631d859c941838e github.com: https://github.com/symfony/symfony/commit/4aaa45dd054f73445f1ab254968b7e60b546cc77 github.com: https://github.com/symfony/symfony/releases/tag/v6.4.40 github.com: https://github.com/symfony/symfony/releases/tag/v7.4.12 github.com: https://github.com/symfony/symfony/releases/tag/v8.0.12