Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, UrlGenerator::doGenerate() used strtr() dot-segment encoding that skipped every other chained ../ or ./ segment, allowing attacker-controlled route parameters to generate URLs that collapse to a different path under RFC 3986 normalization. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.
History

Wed, 15 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, UrlGenerator::doGenerate() used strtr() dot-segment encoding that skipped every other chained ../ or ./ segment, allowing attacker-controlled route parameters to generate URLs that collapse to a different path under RFC 3986 normalization. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.
Title Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization
Weaknesses CWE-172
CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-07-14T19:04:20.058Z

Updated: 2026-07-15T13:27:22.254Z

Reserved: 2026-05-22T20:18:20.365Z

Link: CVE-2026-48784

cve-icon Vulnrichment

Updated: 2026-07-15T13:23:18.829Z

cve-icon NVD

No data.

cve-icon Redhat

No data.