Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-45074

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 7.1.0 until 7.4.12 and 8.0.12, Cas2Handler builds the CAS service parameter from Request::getSchemeAndHttpHost(), which reflects an attacker-controlled Host header when framework.trusted_hosts is not configured; an attacker controlling another application registered with the same CAS server can replay a victim ticket against the Symfony application and authenticate as the victim. This issue is fixed in versions 7.4.12 and 8.0.12.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 37.5%
CVSS Severity
CVSS v3 Score 8.1
Products affected by CVE-2026-45074


Contact Us

Shodan ® - All rights reserved