CVE-2026-47212
Undergoing Analysis
Undergoing Analysis - In Progress
BaseFortify
Vulnerability report for CVE-2026-47212, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, TwilioRequestParser::doParse() received the configured webhook secret but ignored the X-Twilio-Signature HMAC header, allowing unauthenticated POST requests to inject forged Twilio status payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| symfony | symfony | to 6.4.40 (inc) |
| symfony | symfony | to 7.4.12 (inc) |
| symfony | symfony | to 8.0.12 (inc) |
| symfony | symfony | From 6.4 (inc) to 6.4.40 (exc) |
| symfony | symfony | From 7.0 (inc) to 7.4.12 (exc) |
| symfony | symfony | From 8.0 (inc) to 8.0.12 (exc) |
| symfony | twilio_notifier | From 6.4 (inc) to 6.4.40 (exc) |
| symfony | twilio_notifier | From 7.0 (inc) to 7.4.12 (exc) |
| symfony | twilio_notifier | From 8.0 (inc) to 8.0.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |