Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2dc2bb94 by Salvatore Bonaccorso at 2026-05-27T20:45:36+02:00
Add references for symfony issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,15 +1,35 @@
CVE-2026-48736
- symfony 7.4.13+dfsg-1
+ NOTE:
https://symfony.com/blog/cve-2026-48736-iputils-private-subnets-omits-ipv6-transition-forms-ssrf-bypass-in-noprivatenetworkhttpclient
+ NOTE:
https://github.com/symfony/symfony/commit/85b831555be8ea1f43bf01078afe87bc4c92f65e
(v6.4.41)
+ NOTE:
https://github.com/symfony/symfony/commit/82765368cf74177c36613575182f168a2eb765b2
(v5.4.53)
CVE-2026-48747
- symfony 7.4.13+dfsg-1
+ [trixie] - symfony <not-affected> (Vulnerable code not present)
+ [bookworm] - symfony <not-affected> (Vulnerable code not present)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present)
+ NOTE:
https://symfony.com/blog/cve-2026-48747-mailomat-webhook-parser-reads-the-hmac-algorithm-from-the-request-signature-algorithm-downgrade
+ NOTE:
https://github.com/symfony/symfony/commit/bdfe9fe0d94d33dfaca0bc2fe0b00b54767b0c88
(v7.4.13)
CVE-2026-48760
- symfony 7.4.13+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present)
+ NOTE:
https://symfony.com/blog/cve-2026-48760-htmlsanitizer-url-parser-underinclusive-percent-encoded-bidi-marks-and-unicode-whitespace-bypass
+ NOTE:
https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8
(v6.4.41)
CVE-2026-48761
- symfony 7.4.13+dfsg-1
+ [bookworm] - symfony <not-affected> (Vulnerable code not present)
+ [bullseye] - symfony <not-affected> (Vulnerable code not present)
+ NOTE:
https://symfony.com/blog/cve-2026-48761-htmlsanitizer-misses-url-attributes-on-object-applet-iframe-img-and-meta-refresh
+ NOTE:
https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0
(v6.4.41)
CVE-2026-48784
- symfony 7.4.13+dfsg-1
+ NOTE:
https://symfony.com/blog/cve-2026-48784-urlgenerator-encoding-skips-every-other-chained-or-generated-url-collapses-off-route
+ NOTE:
https://github.com/symfony/symfony/commit/4b63c3a3f7af04ecd79c89a594b0b02a01990b1d
(v5.4.53)
CVE-2026-48489
- symfony 7.4.13+dfsg-1
+ NOTE:
https://symfony.com/blog/cve-2026-48489-security-firewall-bypass-via-failure-forward-subrequest
+ NOTE:
https://github.com/symfony/symfony/commit/c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff
(v5.4.53)
CVE-2026-46636
- php-twig <unfixed>
NOTE:
https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc2bb94132f25e146766f2347979aac54f224cf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc2bb94132f25e146766f2347979aac54f224cf
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
