๐Ÿ” CVE Alert

CVE-2026-46644

UNKNOWN 0.0

symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony Polyfill backports PHP features and provides compatibility layers for extensions and functions. From 1.17.1 until 1.38.1, symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload is empty or decodes to ASCII-only code points because Idn::process() does not enforce the UTS #46 revision 33 requirement that decoded ACE labels contain at least one non-ASCII code point. Originally unequal domain names can be regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing, and server-side request forgery in applications using the polyfill to canonicalise or compare hostnames. This issue is fixed in version 1.38.1.

CWE CWE-1289
Vendor symfony
Product polyfill
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for symfony polyfill

Be the first to know when new unknown vulnerabilities affecting symfony polyfill are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / polyfill
>= 1.17.1, < 1.38.1
symfony / polyfill-intl-idn
>= 1.17.1, < 1.38.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq github.com: https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec github.com: https://github.com/symfony/polyfill/releases/tag/v1.38.1