[Git][security-tracker-team/security-tracker][master] Add references for symfony issues

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2dc2bb94 by Salvatore Bonaccorso at 2026-05-27T20:45:36+02:00
Add references for symfony issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,15 +1,35 @@
 CVE-2026-48736
 	- symfony 7.4.13+dfsg-1
+	NOTE: https://symfony.com/blog/cve-2026-48736-iputils-private-subnets-omits-ipv6-transition-forms-ssrf-bypass-in-noprivatenetworkhttpclient
+	NOTE: https://github.com/symfony/symfony/commit/85b831555be8ea1f43bf01078afe87bc4c92f65e (v6.4.41)
+	NOTE: https://github.com/symfony/symfony/commit/82765368cf74177c36613575182f168a2eb765b2 (v5.4.53)
 CVE-2026-48747
 	- symfony 7.4.13+dfsg-1
+	[trixie] - symfony <not-affected> (Vulnerable code not present)
+	[bookworm] - symfony <not-affected> (Vulnerable code not present)
+	[bullseye] - symfony <not-affected> (Vulnerable code not present)
+	NOTE: https://symfony.com/blog/cve-2026-48747-mailomat-webhook-parser-reads-the-hmac-algorithm-from-the-request-signature-algorithm-downgrade
+	NOTE: https://github.com/symfony/symfony/commit/bdfe9fe0d94d33dfaca0bc2fe0b00b54767b0c88 (v7.4.13)
 CVE-2026-48760
 	- symfony 7.4.13+dfsg-1
+	[bookworm] - symfony <not-affected> (Vulnerable code not present)
+	[bullseye] - symfony <not-affected> (Vulnerable code not present)
+	NOTE: https://symfony.com/blog/cve-2026-48760-htmlsanitizer-url-parser-underinclusive-percent-encoded-bidi-marks-and-unicode-whitespace-bypass
+	NOTE: https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8 (v6.4.41)
 CVE-2026-48761
 	- symfony 7.4.13+dfsg-1
+	[bookworm] - symfony <not-affected> (Vulnerable code not present)
+	[bullseye] - symfony <not-affected> (Vulnerable code not present)
+	NOTE: https://symfony.com/blog/cve-2026-48761-htmlsanitizer-misses-url-attributes-on-object-applet-iframe-img-and-meta-refresh
+	NOTE: https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0 (v6.4.41)
 CVE-2026-48784
 	- symfony 7.4.13+dfsg-1
+	NOTE: https://symfony.com/blog/cve-2026-48784-urlgenerator-encoding-skips-every-other-chained-or-generated-url-collapses-off-route
+	NOTE: https://github.com/symfony/symfony/commit/4b63c3a3f7af04ecd79c89a594b0b02a01990b1d (v5.4.53)
 CVE-2026-48489
 	- symfony 7.4.13+dfsg-1
+	NOTE: https://symfony.com/blog/cve-2026-48489-security-firewall-bypass-via-failure-forward-subrequest
+	NOTE: https://github.com/symfony/symfony/commit/c48a4276309e11aedeeb0ce3a89dfbf0b4fe04ff (v5.4.53)
 CVE-2026-46636
 	- php-twig <unfixed>
 	NOTE: https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-list-bypass-when-sandbox-state-changes-between-renders



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc2bb94132f25e146766f2347979aac54f224cf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dc2bb94132f25e146766f2347979aac54f224cf
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260527/e004e9cc/attachment.htm>