Vulnerable Library - knplabs/knp-paginator-bundle-v6.10.0
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (knplabs/knp-paginator-bundle-v6.10.0 version) |
Remediation Possible** |
| CVE-2026-45075 |
 High |
8.1 |
symfony/http-kernel-v8.0.2 |
Transitive |
N/A* |
❌ |
| CVE-2026-48736 |
High |
7.2 |
symfony/http-foundation-v8.0.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-45065 |
 Medium |
6.1 |
symfony/routing-v8.0.1 |
Transitive |
N/A* |
❌ |
| CVE-2026-48784 |
Medium |
5.8 |
symfony/routing-v8.0.1 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-45075
Vulnerable Library - symfony/http-kernel-v8.0.2
Provides a structured process for converting a Request into a Response
Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/bcef77a3c8ae8934ce7067172e2a1a6491a62a7d
Dependency Hierarchy:
- knplabs/knp-paginator-bundle-v6.10.0 (Root Library)
- ❌ symfony/http-kernel-v8.0.2 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description Symfony's "#[IsGranted('...')]", "#[IsSignatureValid]", and "#[IsCsrfTokenValid(...)]" attributes allow you to define a "methods: [...]" argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining "methods: ['GET']" would be ignored for a "HEAD" request. On the other hand, Symfony's router (and HTTP semantics generally) serves "HEAD" requests using the "GET" handler. Therefore, a controller protected by e.g. "#[IsGranted('ROLE_ADMIN', methods: ['GET'])]" can be reached via "HEAD" with the authorization check silently skipped. Even if the "HEAD" request won't get any response content, response headers leak ("Content-Length", "Location", custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur. Resolution When adding "GET" in the "methods" option of these attributes, Symfony now also include the "HEAD" method automatically. The patch for this issue is available "here" (symfony/symfony@fa8d5c6) for branch 7.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45075
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.11,https://github.com/symfony/symfony.git - v7.4.11,https://github.com/symfony/symfony.git - v6.4.39
Step up your Open Source Security Game with Mend here
CVE-2026-48736
Vulnerable Library - symfony/http-foundation-v8.0.1
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/3690740e2e8b19d877f20d4f10b7a489cddf0fe2
Dependency Hierarchy:
- knplabs/knp-paginator-bundle-v6.10.0 (Root Library)
- ❌ symfony/http-foundation-v8.0.1 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\HttpClient\NoPrivateNetworkHttpClient" is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets ("Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS" on 6.4+, a private constant in "NoPrivateNetworkHttpClient" on 5.4) enumerates RFC1918, loopback, link-local and IPv4-mapped IPv6 ("::ffff:0:0/96") prefixes, but omits the remaining IPv6 transition forms that can embed a private IPv4 destination: 6to4 ("2002::/16", RFC 3056), Teredo ("2001::/32", RFC 4380), NAT64 ("64:ff9b::/96", RFC 6052 and "64:ff9b:1::/48", RFC 8215) and IPv4-compatible IPv6 ("::/96", RFC 4291 §2.5.5.1). "IpUtils::checkIp6()" is a pure bitwise CIDR comparison against the constants list and never extracts the embedded IPv4, so an attacker who can supply a URL writes the loopback / RFC1918 IPv4 target as e.g. "http://[2002:7f00:1::]/" (6to4 → 127.0.0.1), "http://[64:ff9b::7f00:1]/" (NAT64 → 127.0.0.1), "http://[::7f00:1]/" (IPv4-compatible → 127.0.0.1) or "http://[2001::1]/" (Teredo). "IpUtils::isPrivateIp()" returns "false" and "NoPrivateNetworkHttpClient" dispatches the request. Real-world reachability of the embedded IPv4 depends on the deploy's IPv6 routing (6to4 tunnel interface, upstream NAT64 gateway, kernel handling of IPv4-compatible addresses), but the security boundary the decorator promises — the dispatch decision — is crossed regardless of whether the packet ultimately lands on the embedded IPv4. Resolution The private-subnet list now includes "::/96", "2002::/16", "2001::/32", "64:ff9b::/96" and "64:ff9b:1::/48". Blanket blocking of these prefixes matches the policy applied by Chromium and Mozilla's Private Network Access; server-side HTTPS APIs are not legitimately published on these prefixes. The patches for this issue are available "here" (symfony/symfony@8276536) for branch 5.4 and "here" (symfony/symfony@85b8315) for branch 6.4 (and forward-ported to 7.4, 8.0 and 8.1). Credits Symfony would like to thank tonghuaroot for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-15
URL: CVE-2026-48736
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-38cx-cq6f-5755
Release Date: 2026-06-15
Fix Resolution: symfony/http-client - v5.4.53,symfony/http-foundation - v6.4.41,symfony/http-foundation - v8.0.13,symfony/http-foundation - v7.4.13,https://github.com/symfony/symfony.git - v6.4.41,https://github.com/symfony/symfony.git - v5.4.53,https://github.com/symfony/symfony.git - v8.0.13,https://github.com/symfony/symfony.git - v7.4.13
Step up your Open Source Security Game with Mend here
CVE-2026-45065
Vulnerable Library - symfony/routing-v8.0.1
Maps an HTTP request to a set of configuration variables
Library home page: https://api.github.com/repos/symfony/routing/zipball/bc8fa314a61fb7c4190e964b18a5bd000d3b45ce
Dependency Hierarchy:
- knplabs/knp-paginator-bundle-v6.10.0 (Root Library)
- ❌ symfony/routing-v8.0.1 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description Symfony routes can declare a requirements regex per path parameter, e.g. a route "/{_locale}/blog" with "requirements: { _locale: 'en|fr|de' }". The Twig "path()" / "url()" helpers (backed by "UrlGenerator") validate supplied parameter values against that regex before building the URL. UrlGenerator constructs the validation pattern as "'#^'.$req.'$#'", where "$req" is the raw requirement string. For a requirement expressed as an alternation, e.g. "_locale: 'ar|bg|...|vi|...|zh_CN'" (very common), "^" and "$" anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like "/evil.com" satisfies the requirement (because it contains "vi"), and the generated path becomes "//evil.com/...": a protocol-relative URL the browser navigates off-site. Resolution The "UrlGenerator" class now wraps the requirement in a non-capturing group so the "^" and "$" anchors apply to the whole alternation. The patch for this issue is available "here" (symfony/symfony@bcf487c) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-10
URL: CVE-2026-45065
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.9,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v7.4.9,https://github.com/symfony/symfony.git - v5.4.52
Step up your Open Source Security Game with Mend here
CVE-2026-48784
Vulnerable Library - symfony/routing-v8.0.1
Maps an HTTP request to a set of configuration variables
Library home page: https://api.github.com/repos/symfony/routing/zipball/bc8fa314a61fb7c4190e964b18a5bd000d3b45ce
Dependency Hierarchy:
- knplabs/knp-paginator-bundle-v6.10.0 (Root Library)
- ❌ symfony/routing-v8.0.1 (Vulnerable Library)
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Routing\Generator\UrlGenerator::doGenerate()" percent-encodes "." and ".." path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal (which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients — perform before percent-decoding). The encoding was implemented as "strtr($url, ['/../' => '/%2E%2E/', '/./' => '/%2E/'])" plus a trailing-segment fixup. "strtr" advances past the trailing "/" of each match, so the next dot-segment in a chained sequence was left unescaped: | Input | Output (before fix) | Expected | | -------------------- | ---------------------------------------- | ----------------------------------- | | "/../../../" | "/%2E%2E/../%2E%2E/" | "/%2E%2E/%2E%2E/%2E%2E/" | | "/foo/../../../bar" | "/foo/%2E%2E/../%2E%2E/bar" | "/foo/%2E%2E/%2E%2E/%2E%2E/bar" | When a route exposes a parameter constrained by a permissive requirement (".+", ".*", or similar) that accepts dots and slashes, attacker-controlled chained ".." or "." segments produce a generated URL that, under strict RFC 3986 normalization, collapses to a different path than the originating route. The Twig "path()" / "url()" helpers and any server-side use of "UrlGenerator" are affected. Same class of route round-trip integrity issue as CVE-2026-45065. Note: WHATWG-conformant browsers treat "%2E"/"%2E%2E" as dot-segments during URL parsing, so the encoding never protected browser-side traversal. The defense exists for RFC-3986-conformant consumers; restoring it for chained segments closes the gap there. Resolution "UrlGenerator" now matches every "/." or "/.." dot-segment in a single left-to-right "preg_replace_callback" pass using a lookahead that does not consume the trailing "/", so adjacent dot-segments are encoded correctly. The patches for this issue are available "here" (symfony/symfony@4b63c3a) for branch 5.4 (and forward-ported to 6.4, 7.4, 8.0 and 8.1). Credits Symfony would like to thank Alex Pott for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-15
URL: CVE-2026-48784
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.13,https://github.com/symfony/symfony.git - v6.4.41,https://github.com/symfony/symfony.git - v7.4.13,https://github.com/symfony/symfony.git - v5.4.53
Step up your Open Source Security Game with Mend here
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - symfony/http-kernel-v8.0.2
Provides a structured process for converting a Request into a Response
Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/bcef77a3c8ae8934ce7067172e2a1a6491a62a7d
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description Symfony's "#[IsGranted('...')]", "#[IsSignatureValid]", and "#[IsCsrfTokenValid(...)]" attributes allow you to define a "methods: [...]" argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining "methods: ['GET']" would be ignored for a "HEAD" request. On the other hand, Symfony's router (and HTTP semantics generally) serves "HEAD" requests using the "GET" handler. Therefore, a controller protected by e.g. "#[IsGranted('ROLE_ADMIN', methods: ['GET'])]" can be reached via "HEAD" with the authorization check silently skipped. Even if the "HEAD" request won't get any response content, response headers leak ("Content-Length", "Location", custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur. Resolution When adding "GET" in the "methods" option of these attributes, Symfony now also include the "HEAD" method automatically. The patch for this issue is available "here" (symfony/symfony@fa8d5c6) for branch 7.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-31
URL: CVE-2026-45075
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.11,https://github.com/symfony/symfony.git - v7.4.11,https://github.com/symfony/symfony.git - v6.4.39
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v8.0.1
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/3690740e2e8b19d877f20d4f10b7a489cddf0fe2
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\HttpClient\NoPrivateNetworkHttpClient" is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets ("Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS" on 6.4+, a private constant in "NoPrivateNetworkHttpClient" on 5.4) enumerates RFC1918, loopback, link-local and IPv4-mapped IPv6 ("::ffff:0:0/96") prefixes, but omits the remaining IPv6 transition forms that can embed a private IPv4 destination: 6to4 ("2002::/16", RFC 3056), Teredo ("2001::/32", RFC 4380), NAT64 ("64:ff9b::/96", RFC 6052 and "64:ff9b:1::/48", RFC 8215) and IPv4-compatible IPv6 ("::/96", RFC 4291 §2.5.5.1). "IpUtils::checkIp6()" is a pure bitwise CIDR comparison against the constants list and never extracts the embedded IPv4, so an attacker who can supply a URL writes the loopback / RFC1918 IPv4 target as e.g. "http://[2002:7f00:1::]/" (6to4 → 127.0.0.1), "http://[64:ff9b::7f00:1]/" (NAT64 → 127.0.0.1), "http://[::7f00:1]/" (IPv4-compatible → 127.0.0.1) or "http://[2001::1]/" (Teredo). "IpUtils::isPrivateIp()" returns "false" and "NoPrivateNetworkHttpClient" dispatches the request. Real-world reachability of the embedded IPv4 depends on the deploy's IPv6 routing (6to4 tunnel interface, upstream NAT64 gateway, kernel handling of IPv4-compatible addresses), but the security boundary the decorator promises — the dispatch decision — is crossed regardless of whether the packet ultimately lands on the embedded IPv4. Resolution The private-subnet list now includes "::/96", "2002::/16", "2001::/32", "64:ff9b::/96" and "64:ff9b:1::/48". Blanket blocking of these prefixes matches the policy applied by Chromium and Mozilla's Private Network Access; server-side HTTPS APIs are not legitimately published on these prefixes. The patches for this issue are available "here" (symfony/symfony@8276536) for branch 5.4 and "here" (symfony/symfony@85b8315) for branch 6.4 (and forward-ported to 7.4, 8.0 and 8.1). Credits Symfony would like to thank tonghuaroot for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-15
URL: CVE-2026-48736
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-38cx-cq6f-5755
Release Date: 2026-06-15
Fix Resolution: symfony/http-client - v5.4.53,symfony/http-foundation - v6.4.41,symfony/http-foundation - v8.0.13,symfony/http-foundation - v7.4.13,https://github.com/symfony/symfony.git - v6.4.41,https://github.com/symfony/symfony.git - v5.4.53,https://github.com/symfony/symfony.git - v8.0.13,https://github.com/symfony/symfony.git - v7.4.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/routing-v8.0.1
Maps an HTTP request to a set of configuration variables
Library home page: https://api.github.com/repos/symfony/routing/zipball/bc8fa314a61fb7c4190e964b18a5bd000d3b45ce
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description Symfony routes can declare a requirements regex per path parameter, e.g. a route "/{_locale}/blog" with "requirements: { _locale: 'en|fr|de' }". The Twig "path()" / "url()" helpers (backed by "UrlGenerator") validate supplied parameter values against that regex before building the URL. UrlGenerator constructs the validation pattern as "'#^'.$req.'$#'", where "$req" is the raw requirement string. For a requirement expressed as an alternation, e.g. "_locale: 'ar|bg|...|vi|...|zh_CN'" (very common), "^" and "$" anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like "/evil.com" satisfies the requirement (because it contains "vi"), and the generated path becomes "//evil.com/...": a protocol-relative URL the browser navigates off-site. Resolution The "UrlGenerator" class now wraps the requirement in a non-capturing group so the "^" and "$" anchors apply to the whole alternation. The patch for this issue is available "here" (symfony/symfony@bcf487c) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-10
URL: CVE-2026-45065
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.9,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v7.4.9,https://github.com/symfony/symfony.git - v5.4.52
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/routing-v8.0.1
Maps an HTTP request to a set of configuration variables
Library home page: https://api.github.com/repos/symfony/routing/zipball/bc8fa314a61fb7c4190e964b18a5bd000d3b45ce
Dependency Hierarchy:
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Routing\Generator\UrlGenerator::doGenerate()" percent-encodes "." and ".." path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal (which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients — perform before percent-decoding). The encoding was implemented as "strtr($url, ['/../' => '/%2E%2E/', '/./' => '/%2E/'])" plus a trailing-segment fixup. "strtr" advances past the trailing "/" of each match, so the next dot-segment in a chained sequence was left unescaped: | Input | Output (before fix) | Expected | | -------------------- | ---------------------------------------- | ----------------------------------- | | "/../../../" | "/%2E%2E/../%2E%2E/" | "/%2E%2E/%2E%2E/%2E%2E/" | | "/foo/../../../bar" | "/foo/%2E%2E/../%2E%2E/bar" | "/foo/%2E%2E/%2E%2E/%2E%2E/bar" | When a route exposes a parameter constrained by a permissive requirement (".+", ".*", or similar) that accepts dots and slashes, attacker-controlled chained ".." or "." segments produce a generated URL that, under strict RFC 3986 normalization, collapses to a different path than the originating route. The Twig "path()" / "url()" helpers and any server-side use of "UrlGenerator" are affected. Same class of route round-trip integrity issue as CVE-2026-45065. Note: WHATWG-conformant browsers treat "%2E"/"%2E%2E" as dot-segments during URL parsing, so the encoding never protected browser-side traversal. The defense exists for RFC-3986-conformant consumers; restoring it for chained segments closes the gap there. Resolution "UrlGenerator" now matches every "/." or "/.." dot-segment in a single left-to-right "preg_replace_callback" pass using a lookahead that does not consume the trailing "/", so adjacent dot-segments are encoded correctly. The patches for this issue are available "here" (symfony/symfony@4b63c3a) for branch 5.4 (and forward-ported to 6.4, 7.4, 8.0 and 8.1). Credits Symfony would like to thank Alex Pott for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-15
URL: CVE-2026-48784
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.13,https://github.com/symfony/symfony.git - v6.4.41,https://github.com/symfony/symfony.git - v7.4.13,https://github.com/symfony/symfony.git - v5.4.53
Step up your Open Source Security Game with Mend here