๐Ÿ” CVE Alert

CVE-2026-45754

UNKNOWN 0.0

Symfony: Mailjet Mailer Webhook Parser Never Verifies the Configured Secret โ€” Unauthenticated Webhook Event Injection

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

CWE CWE-287 CWE-306
Vendor symfony
Product symfony
Published Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for symfony symfony

Be the first to know when new unknown vulnerabilities affecting symfony symfony are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / symfony
>= 6.4.0, < 6.4.40 >= 7.0.0-BETA1, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12
symfony / lox24-notifier
>= 7.1.0-BETA1, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12
symfony / mailjet-mailer
>= 6.4.0, < 6.4.40 >= 7.0.0-BETA1, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/symfony/security/advisories/GHSA-64hg-93w9-fc35 github.com: https://github.com/symfony/symfony/commit/3e52bf5ab733ee32e35eeeeb2631d859c941838e github.com: https://github.com/symfony/symfony/commit/4aaa45dd054f73445f1ab254968b7e60b546cc77 github.com: https://github.com/symfony/symfony/releases/tag/v6.4.40 github.com: https://github.com/symfony/symfony/releases/tag/v7.4.12 github.com: https://github.com/symfony/symfony/releases/tag/v8.0.12