Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 95a9517

Browse filesBrowse files
fabpotfabpot
authored
data #64303 Release v6.4.40
 Release v6.4.40
2 parents e560a58 + f46a73b commit 95a9517
Copy full SHA for 95a9517

3 files changed

+2,904-2,880Lines changed: 2904 additions & 2880 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎CHANGELOG-6.4.md‎

Copy file name to clipboardExpand all lines: CHANGELOG-6.4.md
+23Lines changed: 23 additions & 0 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,29 @@ in 6.4 minor versions.
77
To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
88
To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v6.4.0...v6.4.1
99

10+
* 6.4.40 (2026-05-20)
11+
12+
* security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (nicolas-grekas)
13+
* security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (nicolas-grekas)
14+
* security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (nicolas-grekas)
15+
* security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (alexandre-daubois)
16+
* security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (nicolas-grekas)
17+
* security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (nicolas-grekas)
18+
* security #cve-2026-45066 [HtmlSanitizer] Fix `allowLinkHosts`/`allowMediaHosts` bypass via URL parser differentials and `<area>` misclassification (alexandre-daubois)
19+
* security #cve-2026-45069 [Security] Add missing claims in `OidcTokenHandler` (alexandre-daubois)
20+
* bug #64258 [DomCrawler] Fix `ChoiceFormField::addChoice()` clobbering values on multi-selects (nicolas-grekas)
21+
* bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (nicolas-grekas)
22+
* security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (nicolas-grekas)
23+
* security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (nicolas-grekas)
24+
* security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (nicolas-grekas)
25+
* security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse` (alexandre-daubois)
26+
* security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (alexandre-daubois)
27+
* security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (alexandre-daubois)
28+
* security #cve-2026-45065 [Routing] Fix regex alternation anchoring in `UrlGenerator` requirement validation (alexandre-daubois)
29+
* security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (alexandre-daubois)
30+
* security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (nicolas-grekas)
31+
* security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (nicolas-grekas)
32+
1033
* 6.4.39 (2026-05-13)
1134

1235
* bug #64198 [SecurityBundle] Allow defining security provider factories without config (hockdudu)

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.