Detections
Analytics

Symfony and Multiple Symfony Components < 5.4.52 / 6.x < 6.4.40 / 7.x < 7.4.12 / 8.x < 8.0.12 Multiple Vulnerabilities

high Nessus Plugin ID 318791

Synopsis

A PHP library installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Symfony and/or its Symfony Monolog Bridge / MIME / Mailer / Routing / Security HTTP Components installed on the remote host is/are prior to 6.1.x prior to 6.4.40, 7.0.x prior to 7.4.12, 8.0.x prior to 8.0.12, and, therefore, affected by multiple vulnerabilities:

 - An authentication bypass vulnerability exists in Symfony Component's X509Authenticator client-certificate (mTLS) authentication due to use of an unanchored regex to extract the emailAddress from the Subject DN string. An unauthenticated, remote attacker can exploit this, via a crafted client certificate containing an emailAddress string embedded within the CN (Common Name) field, to bypass authentication and impersonate arbitrary users. (CVE-2026-45063)

 - An unsafe deserialization vulnerability exists in Symfony Monolog Bridge Component's ServerLogCommand (server:log console command) due to binding to all network interfaces (0.0.0.0:9911) by default and performing unauthenticated PHP object deserialization without an allowed_classes, allowlist, or integrity checks. An unauthenticated, remote attacker can exploit this, via crafted serialized PHP payloads sent to TCP port 9911, to cause a denial of service or potentially achieve remote code execution through PHP object injection with magic-method side effects, depending on available gadget chains in the target environment.
 (CVE-2026-45077)

 - A CRLF injection vulnerability exists in Symfony MIME Component's Address class due to the constructor accepting email addresses with quoted local-parts containing raw \r\n bytes, despite being documented as validating input. An authenticated, remote attacker can exploit this, via crafted email addresses with embedded CRLF sequences in the local-part (e.g., 'x\r\nBcc: attacker@evil'@example.com), to inject arbitrary email headers and SMTP commands, enabling unauthorized email disclosure, spam relay, or other mail-system abuse. (CVE-2026-45067)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Also note that this plugin does not distinguish between PHP packages installed via the OS package manager, PHP packages installed via Composer, or other sources. As a result, packages provided by your OS package repository may have backported fixes that this plugin may incorrectly report as vulnerable. Please refer to the OS-specific plugins for CVE-2026-45063, CVE-2026-45065, CVE-2026-45067, CVE-2026-45068, and CVE-2026-45077 to check for backported fixes.

Solution

Upgrade Symfony and/or its affected Components to version 5.4.52, 6.4.40, 7.4.12, 8.0.12, or later.

See Also

http://www.nessus.org/u?c4d83d1a

https://github.com/advisories/GHSA-ph86-p8f6-f9r2

http://www.nessus.org/u?8e1a8335

https://github.com/advisories/GHSA-m7v2-7gxm-vc2v

http://www.nessus.org/u?0f9de61e

https://github.com/advisories/GHSA-qpmx-3rfj-7rhv

http://www.nessus.org/u?4f43363b

https://github.com/advisories/GHSA-xx3c-qf5g-hc39

http://www.nessus.org/u?91e9926d

https://github.com/advisories/GHSA-72xp-p242-47p9

Plugin Details

Severity: High

ID: 318791

File Name: symfony_components_GHSA-ph86-p8f6-f9r2.nasl

Version: 1.1

Type: Local

Agent: windows

Family: Misc.

Published: 6/5/2026

Updated: 6/5/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-45063

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:sensiolabs:symfony

Required KB Items: language_library/package/composer/enumerated

Patch Publication Date: 5/20/2026

Vulnerability Publication Date: 5/20/2026

Reference Information

CVE: CVE-2026-45063, CVE-2026-45065, CVE-2026-45067, CVE-2026-45068, CVE-2026-45077

IAVB: 2026-B-0140