All Symfony CVEs — Complete Vulnerability History
Symfony is PHP's most widely-used enterprise framework. It has an excellent security process — patches for supported versions are released simultaneously. Track symfony.com/blog/security.
PHP
10M+ weekly downloads
4 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-10909 | 2019 | MEDIUM | XSS via Twig templates without escaping | Fixed 4.2.7 |
| CVE-2021-41268 | 2021 | HIGH | Authentication bypass via remember-me cookie | Fixed 5.3.12 |
| CVE-2022-24894 | 2022 | HIGH | Incorrect cache-control headers on private responses | Fixed 6.0.19 |
| CVE-2024-50340 | 2024 | HIGH | Authentication bypass via malformed token | Fixed 7.0.9 |
Current safe version: ^7.0
# Before
"symfony/http-foundation": "^5.0"
# After
"symfony/http-foundation": "^7.0"
Then run: composer install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How does Symfony handle security releases?
Symfony backports security fixes to all currently supported branches simultaneously. When a CVE is disclosed, patches are available for Symfony 5.4, 6.4, and 7.x at the same time.
Does the Symfony cache-control CVE affect production?
CVE-2022-24894 can cause private responses to be cached and served to other users by intermediate caches. If you use Symfony's HttpCache or an external reverse proxy, this is serious.