๐Ÿ” CVE Alert

CVE-2026-47767

UNKNOWN 0.0

Symfony: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch

CVSS Score
0.0
EPSS Score
0.4%
EPSS Percentile
31th

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.

CWE CWE-436
Vendor symfony
Product symfony
Published Jul 14, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for symfony symfony

Be the first to know when new unknown vulnerabilities affecting symfony symfony are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / symfony
>= 5.4.46, < 5.4.52 >= 6.4.14, < 6.4.40 >= 7.1.7, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12
symfony / runtime
>= 5.4.46, < 5.4.52 >= 6.4.14, < 6.4.40 >= 7.1.7, < 7.4.12 >= 8.0.0-BETA1, < 8.0.12

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/symfony/security/advisories/GHSA-fqc7-9xjw-jrh3 github.com: https://github.com/symfony/symfony/commit/3228c3806ee511008bea19a95084d460b17e5d25 github.com: https://github.com/symfony/symfony/releases/tag/v5.4.52 github.com: https://github.com/symfony/symfony/releases/tag/v6.4.40 github.com: https://github.com/symfony/symfony/releases/tag/v7.4.12 github.com: https://github.com/symfony/symfony/releases/tag/v8.0.12