CVE-2026-47767
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-47767, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.46 until 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the CVE-2024-50340 fix gated runtime argv parsing on empty($_GET), but parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
symfony symfony From 5.4.46 (inc) to 5.4.51 (inc)
symfony symfony From 6.4.14 (inc) to 6.4.39 (inc)
symfony symfony From 7.1.7 (inc) to 7.4.11 (inc)
symfony symfony From 8.0.0 (inc) to 8.0.11 (inc)
symfony symfony 5.4.52
symfony symfony 6.4.40
symfony symfony 7.4.12
symfony symfony 8.0.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
AI Quick Actions have not been generated yet.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47767. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart