CVE-2026-48784
Undergoing Analysis Undergoing Analysis - In Progress

BaseFortify

Vulnerability report for CVE-2026-48784, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, UrlGenerator::doGenerate() used strtr() dot-segment encoding that skipped every other chained ../ or ./ segment, allowing attacker-controlled route parameters to generate URLs that collapse to a different path under RFC 3986 normalization. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
symfony symfony to 5.4.53 (exc)
symfony symfony to 6.4.41 (exc)
symfony symfony to 7.4.13 (exc)
symfony symfony to 8.0.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-172 The product does not properly encode or decode the data, resulting in unexpected values.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Symfony PHP framework, which is used for web and console applications. The issue lies in the UrlGenerator::doGenerate() method, which improperly handles dot-segment encoding in URLs.

Specifically, the method uses strtr() for encoding dot-segments (like ../ or ./), but this implementation skips every other chained ../ or ./ segment. This flaw allows an attacker to manipulate route parameters in a way that generates URLs that, after RFC 3986 normalization, collapse to a different path than intended.

For example, an attacker could craft a malicious route parameter that, when processed by the vulnerable method, results in a URL pointing to an unintended or sensitive location within the application.

The vulnerability is fixed in Symfony versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.

Impact Analysis

If you are using an affected version of Symfony (prior to 5.4.53, 6.4.41, 7.4.13, or 8.0.13), this vulnerability could have several impacts:

  • An attacker could manipulate URLs to access unintended paths or resources within your application, potentially leading to unauthorized data exposure or actions.
  • If your application relies on route parameters for security checks (e.g., access control), this vulnerability could bypass those checks by generating misleading URLs.
  • The vulnerability could be exploited to perform phishing attacks by generating URLs that appear legitimate but redirect users to malicious destinations.
  • If your application processes user-controlled input to generate URLs (e.g., for redirects or API calls), this flaw could be used to craft malicious inputs that alter the intended behavior of the application.
Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the nature of your application and the data it handles:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access to personal data, it could result in a data breach. Under GDPR, organizations must implement appropriate technical measures to protect personal data. Failure to patch this vulnerability could be seen as a lapse in these measures, potentially leading to fines or penalties.
  • HIPAA (Health Insurance Portability and Accountability Act): For applications handling protected health information (PHI), this vulnerability could lead to unauthorized access or disclosure of PHI. HIPAA requires covered entities to implement safeguards to protect PHI, and exploiting this flaw could violate those requirements.
  • PCI DSS (Payment Card Industry Data Security Standard): If your application processes payment card data, this vulnerability could be exploited to access or manipulate sensitive information. PCI DSS requires regular patching of vulnerabilities to maintain compliance.
  • Other industry-specific regulations: Depending on your sector, this vulnerability could violate additional compliance requirements, such as those in finance (e.g., GLBA) or government (e.g., FISMA).

To maintain compliance, it is critical to update to a patched version of Symfony and ensure that all security vulnerabilities are addressed promptly.

Detection Guidance

Detecting this vulnerability requires checking the installed version of Symfony in your environment. The vulnerability affects Symfony versions prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13. You can verify the Symfony version using the following methods:

  • For Composer-based installations, run: composer show symfony/symfony or check the composer.lock file for the version of symfony/symfony.
  • For applications using Symfony, check the version in the vendor/symfony/symfony/VERSION file or via the command line: php bin/console --version.
  • Review application logs or HTTP responses for URLs generated by Symfony's UrlGenerator, particularly those with attacker-controlled parameters that may include dot-segments (../ or ./).

If the installed version matches any of the affected versions, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade Symfony to one of the patched versions: 5.4.53, 6.4.41, 7.4.13, or 8.0.13, depending on your current major version. Use Composer to update: composer update symfony/symfony.
  • If upgrading is not immediately possible, apply temporary workarounds such as input validation or sanitization for route parameters to prevent the injection of dot-segments (../ or ./).
  • Monitor and restrict access to routes that use UrlGenerator with user-controlled parameters until the upgrade is complete.
  • Review application logs for suspicious URL patterns or unexpected path traversals that may indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart