symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6317 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6317-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     June 01, 2026                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : symfony     CVE ID         : CVE-2024-50340 CVE-2026-45063 CVE-2026-45065 CVE-2026-45067                      CVE-2026-45068 CVE-2026-45071 CVE-2026-45073 CVE-2026-45077                      CVE-2026-45133 CVE-2026-45304 CVE-2026-45305 CVE-2026-46626                      CVE-2026-48489 CVE-2026-48736 CVE-2026-48784

    Multiple vulnerabilities have been found in the Symfony PHP framework     which could lead to a bypass of security controls, cross-site scripting,     denial of service, SQL injection, email header injection, information     disclosure or code execution via PHP object deserialization.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 5.4.53+dfsg-0+deb12u1.

    We recommend that you upgrade your symfony packages.

    For the detailed security status of symfony please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/symfony

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6312 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6312-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 31, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : symfony     CVE ID         : CVE-2024-50340 CVE-2026-45063 CVE-2026-45064 CVE-2026-45065                      CVE-2026-45066 CVE-2026-45067 CVE-2026-45068 CVE-2026-45069                      CVE-2026-45071 CVE-2026-45072 CVE-2026-45073 CVE-2026-45077                      CVE-2026-45133 CVE-2026-45304 CVE-2026-45305 CVE-2026-45754                      CVE-2026-46626 CVE-2026-48489 CVE-2026-48736 CVE-2026-48760                      CVE-2026-48761 CVE-2026-48784

    Multiple vulnerabilities have been found in the Symfony PHP framework     which could lead to a bypass of security controls, cross-site scripting,     denial of service, SQL injection, email header injection, information     disclosure or code execution via PHP object deserialization.

    For the stable distribution (trixie), these problems have been fixed in     version 6.4.41+dfsg-0+deb13u1.

    We recommend that you upgrade your symfony packages.

    For the detailed security status of symfony please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/symfony

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from     global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a     special crafted query string, they are able to change the environment or debug mode used by the kernel     when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the     `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds     for this vulnerability. (CVE-2024-50340)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7272-1 advisory.

    Soner Sayakci discovered that Symfony incorrectly handled cookie storage in the web cache. An attacker     could possibly use this issue to obtain sensitive information and access unauthorized resources.
    (CVE-2022-24894)

    Marco Squarcina discovered that Symfony incorrectly handled the storage of user session information. An     attacker could possibly use this issue to perform a cross-site request forgery (CSRF) attack.
    (CVE-2022-24895)

    Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An attacker could possibly use this     issue to perform cross site scripting. (CVE-2023-46734)

    Vladimir Dusheyko discovered that Symfony incorrectly sanitized special input with a PHP directive in URL     query strings. An attacker could possibly use this issue to expose sensitive information or cause a denial     of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50340)

    Oleg Andreyev, Antoine Makdessi, and Moritz Rauch discovered that Symfony incorrectly handled user     authentication. An attacker could possibly use this issue to access unauthorized resources and expose     sensitive information. This issue was only addressed in Ubuntu 24.04 LTS. (CVE-2024-50341, CVE-2024-51996)

    Linus Karlsson and Chris Smith discovered that Symfony returned internal host information during host     resolution. An attacker could possibly use this issue to obtain sensitive information. This issue only     affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50342)

    It was discovered that Symfony incorrectly parsed user input through regular expressions. An attacker     could possibly use this issue to expose sensitive information. (CVE-2024-50343)

    Sam Mush discovered that Symfony incorrectly parsed URIs with special characters. An attacker could     possibly use this issue to perform phishing attacks. (CVE-2024-50345)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5809 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5809-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     November 11, 2024                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : symfony     CVE ID         : CVE-2024-50340 CVE-2024-50342 CVE-2024-50343 CVE-2024-50345

    Multiple vulnerabilities have been found in the Symfony PHP framework     which could lead to privilege escalation, information disclosure,     incorrect validation or an open redirect.

    For the stable distribution (bookworm), these problems have been fixed in     version 5.4.23+dfsg-1+deb12u3.

    We recommend that you upgrade your symfony packages.

    For the detailed security status of symfony please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/symfony

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Symfony versions prior to 5.4.46 or 6.x prior to 6.4.14 or 7.x prior to 7.1.7 is vulnerable when the register_argc_argv php directive is set to 'on' and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Note that since the vulnerable Symfony component is embedded in Laravel, the plugin is likely to detect a vulnerable Laravel instance.

ID	Name	Product	Family	Severity
318254	Debian dsa-6317 : php-symfony - security update	Nessus	Debian Local Security Checks	critical
318121	Debian dsa-6312 : php-symfony - security update	Nessus	Debian Local Security Checks	critical
231866	Linux Distros Unpatched Vulnerability : CVE-2024-50340	Nessus	Misc.	high
216425	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS : Symfony vulnerabilities (USN-7272-1)	Nessus	Ubuntu Local Security Checks	high
210744	Debian dsa-5809 : php-symfony - security update	Nessus	Debian Local Security Checks	medium
114497	Symfony < 5.4.46 / 6.x < 6.4.14 / 7.x < 7.1.7 Improper Input Handling	Web App Scanning	Component Vulnerability	high

Detections

Analytics

CVE-2024-50340

medium

Tenable Plugins

critical

critical

high

high

medium

high