security-advisories/symfony/security-http/CVE-2026-48489.yaml at master · FriendsOfPHP/security-advisories · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
title:     "CVE-2026-48489: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes"
link:      https://symfony.com/cve-2026-48489
cve:       CVE-2026-48489
branches:
    2.x:
        time:     ~
        versions: ['>=2.0.0', '<3.0.0']
    3.x:
        time:     ~
        versions: ['>=3.0.0', '<4.0.0']
    4.x:
        time:     ~
        versions: ['>=4.0.0', '<5.0.0']
    5.0.x:
        time:     ~
        versions: ['>=5.0.0', '<5.1.0']
    5.1.x:
        time:     ~
        versions: ['>=5.1.0', '<5.2.0']
    5.2.x:
        time:     ~
        versions: ['>=5.2.0', '<5.3.0']
    5.3.x:
        time:     ~
        versions: ['>=5.3.0', '<5.4.0']
    5.4.x:
        time:     2026-05-26 08:00:00
        versions: ['>=5.4.0', '<5.4.53']
    6.0.x:
        time:     ~
        versions: ['>=6.0.0', '<6.1.0']
    6.1.x:
        time:     ~
        versions: ['>=6.1.0', '<6.2.0']
    6.2.x:
        time:     ~
        versions: ['>=6.2.0', '<6.3.0']
    6.3.x:
        time:     ~
        versions: ['>=6.3.0', '<6.4.0']
    6.4.x:
        time:     2026-05-26 08:00:00
        versions: ['>=6.4.0', '<6.4.41']
    7.0.x:
        time:     ~
        versions: ['>=7.0.0', '<7.1.0']
    7.1.x:
        time:     ~
        versions: ['>=7.1.0', '<7.2.0']
    7.2.x:
        time:     ~
        versions: ['>=7.2.0', '<7.3.0']
    7.3.x:
        time:     ~
        versions: ['>=7.3.0', '<7.4.0']
    7.4.x:
        time:     2026-05-26 08:00:00
        versions: ['>=7.4.0', '<7.4.13']
    8.0.x:
        time:     2026-05-26 08:00:00
        versions: ['>=8.0.0', '<8.0.13']
reference: composer://symfony/security-http