CVE-2026-48784
MEDIUM SEVERITYVulnerability Description
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Vulnerability Details
Published Date
Last Modified
Source
GitHub
Vendor
composer
Product
symfony/routing
External References
- https://github.com/symfony/symfony/security/advisories/GHSA-h5x3-xfc9-m39h
- https://github.com/symfony/symfony/commit/4b63c3a3f7af04ecd79c89a594b0b02a01990b1d
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2026-48784.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-48784.yaml
- https://symfony.com/cve-2026-48784
- https://github.com/advisories/GHSA-h5x3-xfc9-m39h
Discussion (0)
Add Comment
No comments yet. Be the first!