๐Ÿ” CVE Alert

CVE-2026-48784

UNKNOWN 0.0

Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` โ†’ Generated URL Collapses Off-Route Under RFC 3986 Normalization

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, UrlGenerator::doGenerate() used strtr() dot-segment encoding that skipped every other chained ../ or ./ segment, allowing attacker-controlled route parameters to generate URLs that collapse to a different path under RFC 3986 normalization. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.

CWE CWE-172 CWE-601
Vendor symfony
Product symfony
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for symfony symfony

Be the first to know when new unknown vulnerabilities affecting symfony symfony are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / symfony
< 5.4.53 >= 6.0.0-BETA1, < 6.4.41 >= 7.0.0-BETA1, < 7.4.13 >= 8.0.0-BETA1, < 8.0.13
symfony / routing
< 5.4.53 >= 6.0.0-BETA1, < 6.4.41 >= 7.0.0-BETA1, < 7.4.13 >= 8.0.0-BETA1, < 8.0.13

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/symfony/security/advisories/GHSA-h5x3-xfc9-m39h github.com: https://github.com/symfony/symfony/commit/4b63c3a3f7af04ecd79c89a594b0b02a01990b1d github.com: https://github.com/symfony/symfony/releases/tag/v5.4.53 github.com: https://github.com/symfony/symfony/releases/tag/v6.4.41 github.com: https://github.com/symfony/symfony/releases/tag/v7.4.13