CVE-2026-48747
Undergoing Analysis
Undergoing Analysis - In Progress
BaseFortify
Vulnerability report for CVE-2026-48747, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.13 and 8.0.13, MailomatRequestParser::validateSignature() parsed X-MOM-Webhook-Signature as algo=signature and passed the request-selected algorithm to hash_hmac(), allowing a signature algorithm downgrade instead of enforcing Mailomat's documented SHA-256 webhook signature. This issue is fixed in versions 7.4.13 and 8.0.13.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| symfony | symfony | to 7.4.13 (inc) |
| symfony | symfony | to 8.0.13 (inc) |
| symfony | symfony | to 8.0.13 (exc) |
| symfony | symfony | to 8.1 (exc) |
| symfony | symfony | From 7.2 (inc) to 7.4.13 (exc) |
| symfony | symfony | From 8.0 (inc) to 8.0.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-757 | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |