symfony
diff --git a/Collapse file
‎CHANGELOG-8.1.md‎
Copy file name to clipboardExpand all lines: CHANGELOG-8.1.md
+37Lines changed: 37 additions & 0 deletions
Display the source diff
Display the rich diff b/Collapse file
‎CHANGELOG-8.1.md‎
Copy file name to clipboardExpand all lines: CHANGELOG-8.1.md
+37Lines changed: 37 additions & 0 deletions
Display the source diff
Display the rich diff
diff --git a/Collapse file
‎src/Symfony/Component/HttpKernel/Kernel.php‎
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Kernel.php
+2-2Lines changed: 2 additions & 2 deletions b/Collapse file
‎src/Symfony/Component/HttpKernel/Kernel.php‎
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Kernel.php
+2-2Lines changed: 2 additions & 2 deletions
@@ -7,6 +7,43 @@ in 8.1 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v8.1.0...v8.1.1
 
+* 8.1.0-RC1 (2026-05-27)
+
+ * security #cve-2026-48747 [Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (nicolas-grekas)
+ * security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on <object>, <applet>, <iframe>, <img>, and the URL inside <meta http-equiv="refresh"> content (nicolas-grekas)
+ * security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (nicolas-grekas)
+ * security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (nicolas-grekas)
+ * security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (nicolas-grekas)
+ * security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (nicolas-grekas)
+ * security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (nicolas-grekas)
+ * bug #64356 [Tui] Throw when ext-zip is not installed and one tries to load a zipped figlet (nicolas-grekas)
+ * bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (nicolas-grekas)
+ * bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (Dooij)
+ * bug #64348 [FrameworkBundle] Allow to pass `doctrine_open_transaction_logger`’s entity manager name positionally (MatTheCat)
+ * feature #64334 [Form] Add `handle_missing_data` option to opt into MissingDataHandler for absent forms (hlecorche)
+ * bug #64345 [Mime][String] Reject objects in typed-string properties during __unserialize (nicolas-grekas)
+ * bug #64344 [Mailer][Notifier] Harden Mailchimp signature comparison and Smsbox IP allowlist (nicolas-grekas)
+ * bug #64330 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (signor-pedro)
+ * bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (ousamabenyounes)
+ * bug #64338 [SecurityBundle] Fix Security::login() across firewalls (ousamabenyounes)
+ * bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (nicolas-grekas)
+ * bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (nicolas-grekas)
+ * bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (nicolas-grekas)
+ * bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (nicolas-grekas)
+ * bug #64337 [Security] Initialize lazy users before serializing them (MatTheCat)
+ * bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (nicolas-grekas)
+ * bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (nicolas-grekas)
+ * bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (nicolas-grekas)
+ * bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (MatTheCat)
+ * bug #64208 [AssetMapper] Rewrite relative paths in `export ... from` statements (ousamabenyounes)
+ * bug #64311 [DependencyInjection] Fix `service()` as invokable factory in array-based PHP config (nicolas-grekas)
+ * feature #64312 [FrameworkBundle][Validator] Add `framework.validation.property_metadata_existence_check` config (nicolas-grekas)
+ * bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both `WARNING` and `warning` (MatTheCat)
+ * bug #64260 [HttpClient] Various fixes and hardenings (Lctrs)
+ * bug #64234 [Tui] Fix unattached widget element styles (masskrdjn)
+ * bug #64309 [FrameworkBundle] Sign transports for unrouted messages too (nicolas-grekas)
+ * bug #64223 [Tui] Fix invisible border with null color in BorderPattern's inverse strategies (sblondeau)
+
 * 8.1.0-BETA3 (2026-05-20)
 
  * security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (nicolas-grekas)
 
@@ -45,12 +45,12 @@ abstract class Kernel extends AbstractKernel implements KernelInterface, Reboota
     private bool $resetServices = false;
     private bool $handlingHttpCache = false;
 
-    public const VERSION = '8.1.0-DEV';
+    public const VERSION = '8.1.0-RC1';
     public const VERSION_ID = 80100;
     public const MAJOR_VERSION = 8;
     public const MINOR_VERSION = 1;
     public const RELEASE_VERSION = 0;
-    public const EXTRA_VERSION = 'DEV';
+    public const EXTRA_VERSION = 'RC1';
 
     public const END_OF_MAINTENANCE = '01/2027';
     public const END_OF_LIFE = '01/2027';