CVE-2026-47767
Received
Received - Intake
BaseFortify
Vulnerability report for CVE-2026-47767, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| symfony | symfony | From 5.4.46 (inc) to 5.4.51 (inc) |
| symfony | symfony | From 6.4.14 (inc) to 6.4.39 (inc) |
| symfony | symfony | From 7.1.7 (inc) to 7.4.11 (inc) |
| symfony | symfony | From 8.0.0 (inc) to 8.0.11 (inc) |
| symfony | symfony | 5.4.52 |
| symfony | symfony | 6.4.40 |
| symfony | symfony | 7.4.12 |
| symfony | symfony | 8.0.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |