CNNVD-202601-4651 Information
CNNVD ID
CNNVD-202601-4651
Related CVE
- CNNVD Published: 2026-01-28
Description (Chinese)
Symfony是Symfony公司的一个用于 Web 和控制台应用程序的 PHP 框架以及一组可重用的 PHP 组件。 Symfony存在参数注入漏洞,该漏洞源于Process组件在Windows上转义参数时未正确处理特殊字符,可能导致对意外路径执行操作。以下版本受到影响:5.4.51之前版本、6.4.33之前版本、7.3.11之前版本、7.4.5之前版本和8.0.5之前版本。
Description (English)
Symfony is a PHP framework for web and console applications and a reusable PHP component. Symfony has a gap in parameters, which stems from the fact that the Process component did not correctly handle special characters when transposing parameters on Windows, which may lead to an operation on an unexpected path. The following versions were affected: before 5.4.51, before 6.4.33, before 7.3.11, before 7.4.5 and before 8.5.5.
Hazard Level
High
Vulnerability Type
参数注入
Affected Vendor
Symfony
Published
2026-01-28
Last Modified
2026-02-24
References
https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3 https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b https://github.com/symfony/symfony/issues/62921 https://github.com/symfony/symfony/pull/63164 https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6
Patch
https://github.com/symfony/symfony/releases
Share on: