symfony
diff --git a/Collapse file
‎CHANGELOG-8.1.md‎
Copy file name to clipboardExpand all lines: CHANGELOG-8.1.md
+70Lines changed: 70 additions & 0 deletions
Display the source diff
Display the rich diff b/Collapse file
‎CHANGELOG-8.1.md‎
Copy file name to clipboardExpand all lines: CHANGELOG-8.1.md
+70Lines changed: 70 additions & 0 deletions
Display the source diff
Display the rich diff
diff --git a/Collapse file
‎src/Symfony/Component/HttpKernel/Kernel.php‎
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Kernel.php
+2-2Lines changed: 2 additions & 2 deletions b/Collapse file
‎src/Symfony/Component/HttpKernel/Kernel.php‎
Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpKernel/Kernel.php
+2-2Lines changed: 2 additions & 2 deletions
@@ -7,6 +7,76 @@ in 8.1 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v8.1.0...v8.1.1
 
+* 8.1.0-BETA3 (2026-05-20)
+
+ * security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (nicolas-grekas)
+ * security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (nicolas-grekas)
+ * security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (nicolas-grekas)
+ * security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (nicolas-grekas)
+ * security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (alexandre-daubois)
+ * security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (nicolas-grekas)
+ * security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (nicolas-grekas)
+ * security #cve-2026-45066 [HtmlSanitizer] Fix `allowLinkHosts`/`allowMediaHosts` bypass via URL parser differentials and `<area>` misclassification (alexandre-daubois)
+ * security #cve-2026-45069 [Security] Add missing claims in `OidcTokenHandler` (alexandre-daubois)
+ * bug #64301 [TwigBundle] Various fixes and hardenings (nicolas-grekas)
+ * bug #64300 [TwigBridge] Fix daisyUI form layout and AppVariable locale filtering (nicolas-grekas)
+ * bug #64296 [Serializer] Improve normalizer error reporting and deprecations (nicolas-grekas)
+ * bug #64297 [Tui] Various fixes and hardenings (nicolas-grekas)
+ * bug #64299 [TypeInfo] Harden ObjectShapeType (nicolas-grekas)
+ * bug #64294 [RateLimiter] Harden calendar-aligned fixed window mode (nicolas-grekas)
+ * bug #64291 [MonologBridge] Harden MailerHandler subject truncation (nicolas-grekas)
+ * bug #64290 [Security] Various fixes and hardenings (nicolas-grekas)
+ * bug #64287 [Translation] Various fixes and hardenings (nicolas-grekas)
+ * bug #64286 [WebProfilerBundle] Various fixes and hardenings (nicolas-grekas)
+ * bug #64283 [Lock] Various fixes and hardenings (nicolas-grekas)
+ * bug #64285 [WebLink] Add missing `Link::AS_*` constants for `rel=preload` / `rel=modulepreload` (nicolas-grekas)
+ * feature #64284 [PasswordHasher] Support stdin input and refine warning in security:hash-password (nicolas-grekas)
+ * bug #64273 [HttpKernel] Various fixes and hardenings (nicolas-grekas)
+ * bug #64276 [Runtime] Various fixes and hardenings (nicolas-grekas)
+ * bug #64280 [Workflow] Various fixes and hardenings (nicolas-grekas)
+ * bug #64275 [Routing] Fix missing HostTrait in ContentLoaderTrait (nicolas-grekas)
+ * bug #64274 [SecurityBundle] Various fixes and hardenings (nicolas-grekas)
+ * bug #64272 [Mailer] Preserve the sent message object as is when sending it (nicolas-grekas)
+ * bug #64243 [HttpClient] Various fixes and hardenings (nicolas-grekas)
+ * bug #64269 [HttpFoundation] Various fixes and hardenings (nicolas-grekas)
+ * bug #64268 [FrameworkBundle] Various fixes and hardenings (nicolas-grekas)
+ * bug #64263 [ExpressionLanguage] Various fixes and hardenings (nicolas-grekas)
+ * bug #64262 [EventDispatcher] Various fixes and hardenings (nicolas-grekas)
+ * bug #64256 [DomCrawler] Various fixes and hardenings (nicolas-grekas)
+ * bug #64254 [DependencyInjection] Various fixes and hardenings (nicolas-grekas)
+ * bug #64252 [AssetMapper] Various fixes and hardenings (nicolas-grekas)
+ * bug #64251 [ObjectMapper] Various fixes and hardenings (nicolas-grekas)
+ * bug #64250 [CssSelector] Various fixes and hardenings (nicolas-grekas)
+ * bug #64249 [Form] Various fixes and hardenings (nicolas-grekas)
+ * bug #64248 [Mailer] Various fixes and hardenings (nicolas-grekas)
+ * bug #64239 [Validator] Various fixes and hardenings (nicolas-grekas)
+ * bug #64237 [Messenger] Various fixes and hardenings (nicolas-grekas)
+ * bug #64242 [TwigBridge] Require Twig to 3.25 for `EscaperRuntime` service definition (GromNaN)
+ * bug #64258 [DomCrawler] Fix `ChoiceFormField::addChoice()` clobbering values on multi-selects (nicolas-grekas)
+ * bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (nicolas-grekas)
+ * bug #64207 [MonologBridge] Fix `interactive_only` not preventing propagation (philbates35)
+ * bug #64241 [JsonStreamer] Various fixes and hardenings (nicolas-grekas)
+ * bug #64255 [DoctrineBridge] Various fixes and hardenings (nicolas-grekas)
+ * bug #64246 [Console] Various fixes and hardenings (nicolas-grekas)
+ * bug #64244 [Semaphore] Various fixes and hardenings (nicolas-grekas)
+ * bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (nicolas-grekas)
+ * bug #64215 [Runtime] Fix TypeError when resolving untyped arguments (nicolas-grekas)
+ * security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (nicolas-grekas)
+ * security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (nicolas-grekas)
+ * security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (nicolas-grekas)
+ * security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse` (alexandre-daubois)
+ * security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (alexandre-daubois)
+ * security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (alexandre-daubois)
+ * security #cve-2026-45065 [Routing] Fix regex alternation anchoring in `UrlGenerator` requirement validation (alexandre-daubois)
+ * security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (alexandre-daubois)
+ * security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (nicolas-grekas)
+ * security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (nicolas-grekas)
+ * security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (alexandre-daubois)
+ * security #cve-2026-45756 [JsonPath] Cap regex backtracking in `match()`/`search()` to prevent ReDoS (alexandre-daubois)
+ * security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (nicolas-grekas)
+ * security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in `IsGranted`, `IsCsrfTokenValid` and `IsSignatureValid` attributes (nicolas-grekas)
+ * bug #64213 [Security] Fix impersonation being deauthenticated on every request (nicolas-grekas)
+
 * 8.1.0-BETA2 (2026-05-13)
 
  * bug #64198 [SecurityBundle] Allow defining security provider factories without config (hockdudu)
 
@@ -45,12 +45,12 @@ abstract class Kernel extends AbstractKernel implements KernelInterface, Reboota
     private bool $resetServices = false;
     private bool $handlingHttpCache = false;
 
-    public const VERSION = '8.1.0-DEV';
+    public const VERSION = '8.1.0-BETA3';
     public const VERSION_ID = 80100;
     public const MAJOR_VERSION = 8;
     public const MINOR_VERSION = 1;
     public const RELEASE_VERSION = 0;
-    public const EXTRA_VERSION = 'DEV';
+    public const EXTRA_VERSION = 'BETA3';
 
     public const END_OF_MAINTENANCE = '01/2027';
     public const END_OF_LIFE = '01/2027';