@@ -7,6 +7,38 @@ in 8.0 minor versions.
77To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
88To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v8.0.0...v8.0.1
99
10+ * 8.0.13 (2026-05-27)
11+
12+ * security #cve-2026 -48747 [ Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (nicolas-grekas)
13+ * security #cve-2026 -48761 [ HtmlSanitizer] Sanitize URL attributes on <object >, <applet >, <iframe >, <img >, and the URL inside <meta http-equiv =" refresh " > content (nicolas-grekas)
14+ * security #cve-2026 -48760 [ HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (nicolas-grekas)
15+ * security #cve-2026 -48736 [ HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (nicolas-grekas)
16+ * security #cve-2026 -48736 [ HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (nicolas-grekas)
17+ * security #cve-2026 -48489 [ Security] Don't honor user-supplied _ failure_path on failure_forward (nicolas-grekas)
18+ * security #cve-2026 -48784 [ Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (nicolas-grekas)
19+ * bug #64355 [ Console] Format message in ConsoleSectionOutput::overwrite() (nicolas-grekas)
20+ * bug #64349 [ HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (Dooij)
21+ * bug #64348 [ FrameworkBundle] Allow to pass ` doctrine_open_transaction_logger ` ’s entity manager name positionally (MatTheCat)
22+ * bug #64345 [ Mime] [ String ] Reject objects in typed-string properties during __ unserialize (nicolas-grekas)
23+ * bug #64344 [ Mailer] [ Notifier ] Harden Mailchimp signature comparison and Smsbox IP allowlist (nicolas-grekas)
24+ * bug #64330 [ Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (signor-pedro)
25+ * bug #64335 [ Scheduler] Recover pending RecurringMessages after consumer stops midway (ousamabenyounes)
26+ * bug #64338 [ SecurityBundle] Fix Security::login() across firewalls (ousamabenyounes)
27+ * bug #64347 [ Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (nicolas-grekas)
28+ * bug #64343 [ Mime] [ RateLimiter ] [ Routing] [ Security ] Harden __ unserialize against __ toString trampolines (nicolas-grekas)
29+ * bug #64342 [ HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (nicolas-grekas)
30+ * bug #64341 [ FrameworkBundle] [ Mailer ] Harden default IP allowlist for Postmark and Brevo webhook parsers (nicolas-grekas)
31+ * bug #64337 [ Security] Initialize lazy users before serializing them (MatTheCat)
32+ * bug #64346 [ Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (nicolas-grekas)
33+ * bug #64336 [ Cache] Accept '_ ' and ':' in prefix passed to AbstractAdapter::clear() (nicolas-grekas)
34+ * bug #64316 [ Yaml] Allow trailing newlines after the end-of-document marker (nicolas-grekas)
35+ * bug #64289 [ Translation] Don’t check the error message to know if Lokalise keys are missing (MatTheCat)
36+ * bug #64208 [ AssetMapper] Rewrite relative paths in ` export ... from ` statements (ousamabenyounes)
37+ * bug #64311 [ DependencyInjection] Fix ` service() ` as invokable factory in array-based PHP config (nicolas-grekas)
38+ * bug #64310 [ HttpKernel] [ WebProfilerBundle ] Check logs priority name for both ` WARNING ` and ` warning ` (MatTheCat)
39+ * bug #64260 [ HttpClient] Various fixes and hardenings (Lctrs)
40+ * bug #64309 [ FrameworkBundle] Sign transports for unrouted messages too (nicolas-grekas)
41+
1042* 8.0.12 (2026-05-20)
1143
1244 * security #cve-2026 -46626 [ Runtime] Fix CVE-2024 -50340 patch bypass by gating argv on $_ SERVER[ 'QUERY_STRING'] (nicolas-grekas)
0 commit comments