Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 275f5cb

Browse filesBrowse files
fabpotfabpot
authored
data #64305 Release v7.4.12
 Release v7.4.12
2 parents 85730dd + feb361f commit 275f5cb
Copy full SHA for 275f5cb

2 files changed

+33-2Lines changed: 33 additions & 2 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎CHANGELOG-7.4.md‎

Copy file name to clipboardExpand all lines: CHANGELOG-7.4.md
+31Lines changed: 31 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,37 @@ in 7.4 minor versions.
77
To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
88
To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v7.4.0...v7.4.1
99

10+
* 7.4.12 (2026-05-20)
11+
12+
* security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (nicolas-grekas)
13+
* security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (nicolas-grekas)
14+
* security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (nicolas-grekas)
15+
* security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (nicolas-grekas)
16+
* security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (alexandre-daubois)
17+
* security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (nicolas-grekas)
18+
* security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (nicolas-grekas)
19+
* security #cve-2026-45066 [HtmlSanitizer] Fix `allowLinkHosts`/`allowMediaHosts` bypass via URL parser differentials and `<area>` misclassification (alexandre-daubois)
20+
* security #cve-2026-45069 [Security] Add missing claims in `OidcTokenHandler` (alexandre-daubois)
21+
* bug #64258 [DomCrawler] Fix `ChoiceFormField::addChoice()` clobbering values on multi-selects (nicolas-grekas)
22+
* bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (nicolas-grekas)
23+
* security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (nicolas-grekas)
24+
* security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (nicolas-grekas)
25+
* security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (nicolas-grekas)
26+
* security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse` (alexandre-daubois)
27+
* security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (alexandre-daubois)
28+
* security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (alexandre-daubois)
29+
* security #cve-2026-45065 [Routing] Fix regex alternation anchoring in `UrlGenerator` requirement validation (alexandre-daubois)
30+
* security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (alexandre-daubois)
31+
* security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (nicolas-grekas)
32+
* security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (nicolas-grekas)
33+
* security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (alexandre-daubois)
34+
* security #cve-2026-45756 [JsonPath] Cap regex backtracking in `match()`/`search()` to prevent ReDoS (alexandre-daubois)
35+
* security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (nicolas-grekas)
36+
* security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in `IsGranted`, `IsCsrfTokenValid` and `IsSignatureValid` attributes (nicolas-grekas)
37+
* bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (nicolas-grekas)
38+
* bug #64207 [MonologBridge] Fix `interactive_only` not preventing propagation (philbates35)
39+
* bug #64213 [Security] Fix impersonation being deauthenticated on every request (nicolas-grekas)
40+
1041
* 7.4.11 (2026-05-13)
1142

1243
* bug #64198 [SecurityBundle] Allow defining security provider factories without config (hockdudu)
Collapse file

‎src/Symfony/Component/HttpKernel/Kernel.php‎

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Kernel.php
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,12 +74,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl
7474
*/
7575
private static array $freshCache = [];
7676

77-
public const VERSION = '7.4.12-DEV';
77+
public const VERSION = '7.4.12';
7878
public const VERSION_ID = 70412;
7979
public const MAJOR_VERSION = 7;
8080
public const MINOR_VERSION = 4;
8181
public const RELEASE_VERSION = 12;
82-
public const EXTRA_VERSION = 'DEV';
82+
public const EXTRA_VERSION = '';
8383

8484
public const END_OF_MAINTENANCE = '11/2028';
8585
public const END_OF_LIFE = '11/2029';

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.