v7.4.13
·
1887 commits
to 8.2
since this release
Changelog (v7.4.12...v7.4.13)
- data #64372 Release v7.4.13
- security #cve-2026-48747 [Mailer] Pin Mailomat webhook signature algorithm to SHA-256 (@nicolas-grekas)
- security #cve-2026-48761 [HtmlSanitizer] Sanitize URL attributes on , , <iframe>,
, and the URL inside content (@nicolas-grekas)
- security #cve-2026-48760 [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs (@nicolas-grekas)
- security #cve-2026-48736 [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS (@nicolas-grekas)
- security #cve-2026-48736 [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient (@nicolas-grekas)
- security #cve-2026-48489 [Security] Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
- security #cve-2026-48784 [Routing] Fix dot-segment encoding for chained "../" and "./" in generated URLs (@nicolas-grekas)
- bug #64355 [Console] Format message in ConsoleSectionOutput::overwrite() (@nicolas-grekas)
- bug #64349 [HttpClient] ntlm regression on authPersistNonNTLM=false connections with reset() (@Dooij)
- bug #64348 [FrameworkBundle] Allow to pass
doctrine_open_transaction_logger’s entity manager name positionally (@MatTheCat) - bug #64345 [Mime][String] Reject objects in typed-string properties during __unserialize (@nicolas-grekas)
- bug #64344 [Mailer][Notifier] Harden Mailchimp signature comparison and Smsbox IP allowlist (@nicolas-grekas)
- bug #64330 [Cache] Fix strlen(null) deprecation on RelayCluster path in RedisTrait::doClear() (@signor-pedro)
- bug #64335 [Scheduler] Recover pending RecurringMessages after consumer stops midway (@ousamabenyounes)
- bug #64338 [SecurityBundle] Fix Security::login() across firewalls (@ousamabenyounes)
- bug #64347 [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses (@nicolas-grekas)
- bug #64343 [Mime][RateLimiter][Routing][Security] Harden __unserialize against __toString trampolines (@nicolas-grekas)
- bug #64342 [HtmlSanitizer] Honor universal attribute sanitizers, apply maxInputLength to text contexts, document forceAttribute and allowAttribute caveats (@nicolas-grekas)
- bug #64341 [FrameworkBundle][Mailer] Harden default IP allowlist for Postmark and Brevo webhook parsers (@nicolas-grekas)
- bug #64337 [Security] Initialize lazy users before serializing them (@MatTheCat)
- bug #64346 [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args (@nicolas-grekas)
- bug #64336 [Cache] Accept '_' and ':' in prefix passed to AbstractAdapter::clear() (@nicolas-grekas)
- bug #64316 [Yaml] Allow trailing newlines after the end-of-document marker (@nicolas-grekas)
- bug #64289 [Translation] Don’t check the error message to know if Lokalise keys are missing (@MatTheCat)
- bug #64208 [AssetMapper] Rewrite relative paths in
export ... fromstatements (@ousamabenyounes) - bug #64311 [DependencyInjection] Fix
service()as invokable factory in array-based PHP config (@nicolas-grekas) - bug #64310 [HttpKernel][WebProfilerBundle] Check logs priority name for both
WARNINGandwarning(@MatTheCat) - bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64260 [HttpClient] Various fixes and hardenings (@Lctrs)
- bug #64309 [FrameworkBundle] Sign transports for unrouted messages too (@nicolas-grekas)
- data #64302 Release v5.4.52
Contributors
nicolas-grekas, MatTheCat, and 4 other contributors