CVE-2026-45305

high

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser::cleanup() used regular expressions with overlapping quantifiers for YAML directive, comment, and document marker cleanup, allowing crafted input to make parsing hang for an arbitrarily long time. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.

References

https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m

https://github.com/symfony/symfony/releases/tag/v8.0.12

https://github.com/symfony/symfony/releases/tag/v7.4.12

https://github.com/symfony/symfony/releases/tag/v6.4.40

https://github.com/symfony/symfony/releases/tag/v5.4.52

https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb

Details

Source: Mitre, NVD

Published: 2026-07-14

Updated: 2026-07-14

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00076