Releases: symfony/symfony
Releases · symfony/symfony
v8.1.0
Changelog (v8.1.0-RC1...v8.1.0)
- data #64399 Release v8.1.0
- feature #64398 Shopware is backing Symfony 8.1, thanks to them! (@nicolas-grekas)
- feature #64397 Mailtrap is backing Ssymfony 8.1, thanks to them! (@nicolas-grekas)
- feature #64396 Les-Tilleuls.coop is backing Symfony 8.1, thanks to them! (@nicolas-grekas)
- feature #64395 TYPO3 is backing Symfony 8.1, thanks to them! (@nicolas-grekas)
- bug #64376 [Translation] Fix XLIFF 2 catalog metadata (@MatTheCat)
- bug #64386 [Dotenv] Don't truncate external env vars containing $ when referenced via ${...} indirection (@nicolas-grekas)
- bug #64388 [Yaml] Fix parsing inline anchored values (@nicolas-grekas)
- bug #64358 [ObjectMapper] Fix TargetClass generic type in ConditionCallableInterface (Mudassar Ali)
- bug #64389 Migrate
configureSchema()to DBAL's editor API (@nicolas-grekas) - bug #64102 Remove usage of
Kernel::VERSION(@fabpot) - data #64374 Release v8.0.13
- data #64372 Release v7.4.13
- data #64371 Release v6.4.41
Contributors
fabpot, nicolas-grekas, and MatTheCat
Assets 2
v8.1.0-RC1
v8.1.0-RC1
This tag was signed with the committer’s verified signature.
Changelog (v8.1.0-BETA3...v8.1.0-RC1)
- data #64377 Release v8.1.0-RC1
- security #cve-2026-48747 [Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (@nicolas-grekas)
- security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on , , <iframe>,
, and the URL inside content (@nicolas-grekas)
- security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
- security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@nicolas-grekas)
- security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
- security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
- security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
- bug #64356 [Tui] Throw when ext-zip is not installed and one tries to load a zipped figlet (@nicolas-grekas)
- bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (@nicolas-grekas)
- bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (@Dooij)
- bug #64348 [FrameworkBundle] Allow to pass
doctrine_open_transaction_logger’s entity manager name positionally (@MatTheCat) - feature #64334 [Form] Add
handle_missing_dataoption to opt into MissingDataHandler for absent forms (@hlecorche) - bug #64345 [Mime][String] Reject objects in typed-string properties during __unserialize (@nicolas-grekas)
- bug #64344 [Mailer][Notifier] Harden Mailchimp signature comparison and Smsbox IP allowlist (@nicolas-grekas)
- bug #64330 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (@signor-pedro)
- bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (@ousamabenyounes)
- bug #64338 [SecurityBundle] Fix Security::login() across firewalls (@ousamabenyounes)
- bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (@nicolas-grekas)
- bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (@nicolas-grekas)
- bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
- bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (@nicolas-grekas)
- bug #64337 [Security] Initialize lazy users before serializing them (@MatTheCat)
- bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
- bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
- bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
- bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (@MatTheCat)
- bug #64208 [AssetMapper] Rewrite relative paths in
export ... fromstatements (@ousamabenyounes) - bug #64311 [DependencyInjection] Fix
service()as invokable factory in array-based PHP config (@nicolas-grekas) - feature #64312 [FrameworkBundle][Validator] Add
framework.validation.property_metadata_existence_checkconfig (@nicolas-grekas) - bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both
WARNINGandwarning(@MatTheCat) - bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64234 [Tui] Fix unattached widget element styles (@masskrdjn)
- bug #64309 [FrameworkBundle] Sign transports for unrouted messages too (@nicolas-grekas)
- bug #64223 [Tui] Fix invisible border with null color in BorderPattern's inverse strategies (@sblondeau)
- data #64306 Release v8.0.12
- data #64305 Release v7.4.12
- data #64302 Release v5.4.52
Contributors
hlecorche, nicolas-grekas, and 7 other contributors
Assets 2
v8.0.13
Changelog (v8.0.12...v8.0.13)
- data #64374 Release v8.0.13
- security #cve-2026-48747 [Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (@nicolas-grekas)
- security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on , , <iframe>,
, and the URL inside content (@nicolas-grekas)
- security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
- security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@nicolas-grekas)
- security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
- security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
- security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
- bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (@nicolas-grekas)
- bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (@Dooij)
- bug #64348 [FrameworkBundle] Allow to pass
doctrine_open_transaction_logger’s entity manager name positionally (@MatTheCat) - bug #64345 [Mime][String] Reject objects in typed-string properties during __unserialize (@nicolas-grekas)
- bug #64344 [Mailer][Notifier] Harden Mailchimp signature comparison and Smsbox IP allowlist (@nicolas-grekas)
- bug #64330 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (@signor-pedro)
- bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (@ousamabenyounes)
- bug #64338 [SecurityBundle] Fix Security::login() across firewalls (@ousamabenyounes)
- bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (@nicolas-grekas)
- bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (@nicolas-grekas)
- bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
- bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (@nicolas-grekas)
- bug #64337 [Security] Initialize lazy users before serializing them (@MatTheCat)
- bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
- bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
- bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
- bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (@MatTheCat)
- bug #64208 [AssetMapper] Rewrite relative paths in
export ... fromstatements (@ousamabenyounes) - bug #64311 [DependencyInjection] Fix
service()as invokable factory in array-based PHP config (@nicolas-grekas) - bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both
WARNINGandwarning(@MatTheCat) - bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64309 [FrameworkBundle] Sign transports for unrouted messages too (@nicolas-grekas)
- data #64305 Release v7.4.12
- data #64302 Release v5.4.52
Contributors
nicolas-grekas, MatTheCat, and 4 other contributors
Assets 2
v7.4.13
Changelog (v7.4.12...v7.4.13)
- data #64372 Release v7.4.13
- security #cve-2026-48747 [Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (@nicolas-grekas)
- security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on , , <iframe>,
, and the URL inside content (@nicolas-grekas)
- security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
- security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@nicolas-grekas)
- security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
- security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
- security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
- bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (@nicolas-grekas)
- bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (@Dooij)
- bug #64348 [FrameworkBundle] Allow to pass
doctrine_open_transaction_logger’s entity manager name positionally (@MatTheCat) - bug #64345 [Mime][String] Reject objects in typed-string properties during __unserialize (@nicolas-grekas)
- bug #64344 [Mailer][Notifier] Harden Mailchimp signature comparison and Smsbox IP allowlist (@nicolas-grekas)
- bug #64330 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (@signor-pedro)
- bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (@ousamabenyounes)
- bug #64338 [SecurityBundle] Fix Security::login() across firewalls (@ousamabenyounes)
- bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (@nicolas-grekas)
- bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (@nicolas-grekas)
- bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
- bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (@nicolas-grekas)
- bug #64337 [Security] Initialize lazy users before serializing them (@MatTheCat)
- bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
- bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
- bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
- bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (@MatTheCat)
- bug #64208 [AssetMapper] Rewrite relative paths in
export ... fromstatements (@ousamabenyounes) - bug #64311 [DependencyInjection] Fix
service()as invokable factory in array-based PHP config (@nicolas-grekas) - bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both
WARNINGandwarning(@MatTheCat) - bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64309 [FrameworkBundle] Sign transports for unrouted messages too (@nicolas-grekas)
- data #64302 Release v5.4.52
Contributors
nicolas-grekas, MatTheCat, and 4 other contributors
Assets 2
v6.4.41
Changelog (v6.4.40...v6.4.41)
- data #64371 Release v6.4.41
- security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on , , <iframe>,
, and the URL inside content (@nicolas-grekas)
- security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
- security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@nicolas-grekas)
- security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
- security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
- security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
- bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (@nicolas-grekas)
- bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (@Dooij)
- bug #64348 [FrameworkBundle] Allow to pass
doctrine_open_transaction_logger’s entity manager name positionally (@MatTheCat) - bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (@ousamabenyounes)
- bug #64338 [SecurityBundle] Fix Security::login() across firewalls (@ousamabenyounes)
- bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (@nicolas-grekas)
- bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (@nicolas-grekas)
- bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
- bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (@nicolas-grekas)
- bug #64337 [Security] Initialize lazy users before serializing them (@MatTheCat)
- bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
- bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
- bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
- bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (@MatTheCat)
- bug #64208 [AssetMapper] Rewrite relative paths in
export ... fromstatements (@ousamabenyounes) - bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both
WARNINGandwarning(@MatTheCat) - data #64302 Release v5.4.52
Contributors
nicolas-grekas, MatTheCat, and 2 other contributors
Assets 2
v5.4.53
Changelog (v5.4.52...v5.4.53)
- data #64370 Release v5.4.53
- security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
- security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
- security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
- bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
- bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
- bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
Contributors
nicolas-grekas
Assets 2
v8.1.0-BETA3
v8.1.0-BETA3
This tag was signed with the committer’s verified signature.
Changelog (v8.1.0-BETA2...v8.1.0-BETA3)
- data #64307 Release v8.1.0-BETA3
- data #64303 Release v6.4.40
- security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
- security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (@nicolas-grekas)
- security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
- security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
- security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
- security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
- security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
- security #cve-2026-45066 [HtmlSanitizer] Fix
allowLinkHosts/allowMediaHostsbypass via URL parser differentials and<area>misclassification (@alexandre-daubois) - security #cve-2026-45069 [Security] Add missing claims in
OidcTokenHandler(@alexandre-daubois) - bug #64301 [TwigBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64300 [TwigBridge] Fix daisyUI form layout and AppVariable locale filtering (@nicolas-grekas)
- bug #64296 [Serializer] Improve normalizer error reporting and deprecations (@nicolas-grekas)
- bug #64297 [Tui] Various fixes and hardenings (@nicolas-grekas)
- bug #64299 [TypeInfo] Harden ObjectShapeType (@nicolas-grekas)
- bug #64294 [RateLimiter] Harden calendar-aligned fixed window mode (@nicolas-grekas)
- bug #64291 [MonologBridge] Harden MailerHandler subject truncation (@nicolas-grekas)
- bug #64290 [Security] Various fixes and hardenings (@nicolas-grekas)
- bug #64287 [Translation] Various fixes and hardenings (@nicolas-grekas)
- bug #64286 [WebProfilerBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64283 [Lock] Various fixes and hardenings (@nicolas-grekas)
- bug #64285 [WebLink] Add missing
Link::AS_*constants forrel=preload/rel=modulepreload(@nicolas-grekas) - feature #64284 [PasswordHasher] Support stdin input and refine warning in security:hash-password (@nicolas-grekas)
- bug #64273 [HttpKernel] Various fixes and hardenings (@nicolas-grekas)
- bug #64276 [Runtime] Various fixes and hardenings (@nicolas-grekas)
- bug #64280 [Workflow] Various fixes and hardenings (@nicolas-grekas)
- bug #64275 [Routing] Fix missing HostTrait in ContentLoaderTrait (@nicolas-grekas)
- bug #64274 [SecurityBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64272 [Mailer] Preserve the sent message object as is when sending it (@nicolas-grekas)
- bug #64243 [HttpClient] Various fixes and hardenings (@nicolas-grekas)
- bug #64269 [HttpFoundation] Various fixes and hardenings (@nicolas-grekas)
- bug #64268 [FrameworkBundle] Various fixes and hardenings (@nicolas-grekas)
- bug #64263 [ExpressionLanguage] Various fixes and hardenings (@nicolas-grekas)
- bug #64262 [EventDispatcher] Various fixes and hardenings (@nicolas-grekas)
- bug #64256 [DomCrawler] Various fixes and hardenings (@nicolas-grekas)
- bug #64254 [DependencyInjection] Various fixes and hardenings (@nicolas-grekas)
- bug #64252 [AssetMapper] Various fixes and hardenings (@nicolas-grekas)
- bug #64251 [ObjectMapper] Various fixes and hardenings (@nicolas-grekas)
- bug #64250 [CssSelector] Various fixes and hardenings (@nicolas-grekas)
- bug #64249 [Form] Various fixes and hardenings (@nicolas-grekas)
- bug #64248 [Mailer] Various fixes and hardenings (@nicolas-grekas)
- bug #64239 [Validator] Various fixes and hardenings (@nicolas-grekas)
- bug #64237 [Messenger] Various fixes and hardenings (@nicolas-grekas)
- bug #64242 [TwigBridge] Require Twig to 3.25 for
EscaperRuntimeservice definition (@GromNaN) - bug #64258 [DomCrawler] Fix
ChoiceFormField::addChoice()clobbering values on multi-selects (@nicolas-grekas) - bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (@nicolas-grekas)
- bug #64207 [MonologBridge] Fix
interactive_onlynot preventing propagation (@philbates35) - bug #64241 [JsonStreamer] Various fixes and hardenings (@nicolas-grekas)
- bug #64255 [DoctrineBridge] Various fixes and hardenings (@nicolas-grekas)
- bug #64246 [Console] Various fixes and hardenings (@nicolas-grekas)
- bug #64244 [Semaphore] Various fixes and hardenings (@nicolas-grekas)
- bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
- bug #64215 [Runtime] Fix TypeError when resolving untyped arguments (@nicolas-grekas)
- security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
- security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
- security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
- security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling
validateOnParse(@alexandre-daubois) - security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
- security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
- security #cve-2026-45065 [Routing] Fix regex alternation anchoring in
UrlGeneratorrequirement validation (@alexandre-daubois) - security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
- security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
- security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
- security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (@alexandre-daubois)
- security #cve-2026-45756 [JsonPath] Cap regex backtracking in
match()/search()to prevent ReDoS (@alexandre-daubois) - security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
- security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in
IsGranted,IsCsrfTokenValidandIsSignatureValidattributes (@nicolas-grekas) - bug #64213 [Security] Fix impersonation being deauthenticated on every request (@nicolas-grekas)
- data #64202 Release v8.0.11
- data #64201 Release v7.4.11
- data #64200 Release v6.4.39
Contributors
nicolas-grekas, GromNaN, and 2 other contributors
Assets 2
v8.0.12
Changelog (v8.0.11...v8.0.12)
- data #64306 Release v8.0.12
- data #64303 Release v6.4.40
- security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
- security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (@nicolas-grekas)
- security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
- security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
- security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
- security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
- security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
- security #cve-2026-45066 [HtmlSanitizer] Fix
allowLinkHosts/allowMediaHostsbypass via URL parser differentials and<area>misclassification (@alexandre-daubois) - security #cve-2026-45069 [Security] Add missing claims in
OidcTokenHandler(@alexandre-daubois) - bug #64258 [DomCrawler] Fix
ChoiceFormField::addChoice()clobbering values on multi-selects (@nicolas-grekas) - bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (@nicolas-grekas)
- bug #64207 [MonologBridge] Fix
interactive_onlynot preventing propagation (@philbates35) - bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
- security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
- security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
- security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
- security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling
validateOnParse(@alexandre-daubois) - security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
- security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
- security #cve-2026-45065 [Routing] Fix regex alternation anchoring in
UrlGeneratorrequirement validation (@alexandre-daubois) - security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
- security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
- security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
- security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (@alexandre-daubois)
- security #cve-2026-45756 [JsonPath] Cap regex backtracking in
match()/search()to prevent ReDoS (@alexandre-daubois) - security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
- security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in
IsGranted,IsCsrfTokenValidandIsSignatureValidattributes (@nicolas-grekas) - bug #64213 [Security] Fix impersonation being deauthenticated on every request (@nicolas-grekas)
- data #64201 Release v7.4.11
- data #64200 Release v6.4.39
Contributors
nicolas-grekas, alexandre-daubois, and philbates35
Assets 2
v7.4.12
Changelog (v7.4.11...v7.4.12)
- data #64305 Release v7.4.12
- data #64303 Release v6.4.40
- security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
- security #cve-2026-45754 [Notifier][Lox24] Reject webhooks with missing or invalid token (@nicolas-grekas)
- security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
- security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
- security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
- security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
- security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
- security #cve-2026-45066 [HtmlSanitizer] Fix
allowLinkHosts/allowMediaHostsbypass via URL parser differentials and<area>misclassification (@alexandre-daubois) - security #cve-2026-45069 [Security] Add missing claims in
OidcTokenHandler(@alexandre-daubois) - bug #64258 [DomCrawler] Fix
ChoiceFormField::addChoice()clobbering values on multi-selects (@nicolas-grekas) - bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
- security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
- security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
- security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
- security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling
validateOnParse(@alexandre-daubois) - security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
- security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
- security #cve-2026-45065 [Routing] Fix regex alternation anchoring in
UrlGeneratorrequirement validation (@alexandre-daubois) - security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
- security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
- security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
- security #cve-2026-45755 [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature (@alexandre-daubois)
- security #cve-2026-45756 [JsonPath] Cap regex backtracking in
match()/search()to prevent ReDoS (@alexandre-daubois) - security #cve-2026-45074 [Security] Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
- security #cve-2026-45075 [Security][HttpKernel] Fix HEAD requests bypassing methods filter in
IsGranted,IsCsrfTokenValidandIsSignatureValidattributes (@nicolas-grekas) - bug #64261 [Messenger] Fix PhpSerializer::getMessageType() when getting payload with Serializable instances (@nicolas-grekas)
- bug #64207 [MonologBridge] Fix
interactive_onlynot preventing propagation (@philbates35) - bug #64213 [Security] Fix impersonation being deauthenticated on every request (@nicolas-grekas)
- data #64200 Release v6.4.39
Contributors
nicolas-grekas, alexandre-daubois, and philbates35
Assets 2
v6.4.40
Changelog (v6.4.39...v6.4.40)
- data #64303 Release v6.4.40
- security #cve-2026-46626 [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] (@nicolas-grekas)
- security #cve-2026-47212 [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature (@nicolas-grekas)
- security #cve-2026-45753 [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
- security #cve-2026-45754 [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials (@alexandre-daubois)
- security #cve-2026-45072 [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() (@nicolas-grekas)
- security #cve-2026-45064 [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
- security #cve-2026-45066 [HtmlSanitizer] Fix
allowLinkHosts/allowMediaHostsbypass via URL parser differentials and<area>misclassification (@alexandre-daubois) - security #cve-2026-45069 [Security] Add missing claims in
OidcTokenHandler(@alexandre-daubois) - bug #64258 [DomCrawler] Fix
ChoiceFormField::addChoice()clobbering values on multi-selects (@nicolas-grekas) - bug #64214 [HttpKernel] Preserve named-attribute override on Request/Session value resolvers (@nicolas-grekas)
- security #cve-2026-45305 [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking (@nicolas-grekas)
- security #cve-2026-45304 [Yaml] Bound collection-alias resolution in the parser (@nicolas-grekas)
- security #cve-2026-45133 [Yaml] Bound recursion depth in the parser (@nicolas-grekas)
- security #cve-2026-45071 [DomCrawler] Fix XXE in addXmlContent() by not enabling
validateOnParse(@alexandre-daubois) - security #cve-2026-45068 [Mailer] Add end-of-options separator before recipients in SendmailTransport; reject addresses starting with a dash (@alexandre-daubois)
- security #cve-2026-45063 [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
- security #cve-2026-45065 [Routing] Fix regex alternation anchoring in
UrlGeneratorrequirement validation (@alexandre-daubois) - security #cve-2026-45067 [Mime] Reject email addresses containing line breaks in Address (@alexandre-daubois)
- security #cve-2026-45073 [Cache] Validate the prefix given to AbstractAdapter::clear() (@nicolas-grekas)
- security #cve-2026-45077 [MonologBridge] Bind server:log to localhost by default (@nicolas-grekas)
Contributors
nicolas-grekas and alexandre-daubois
Assets 2
Previous Next