Vulnerability Details CVE-2026-45756
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 7.3.0-BETA1 until 7.4.12 and 8.0.12, the JsonPath component compiles attacker-controlled match() and search() filter patterns directly into preg_match() without a length cap, i-regexp restriction, or bounded backtracking, allowing catastrophic-backtracking expressions to pin worker CPU and cause denial of service. This issue is fixed in versions 7.4.12 and 8.0.12.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 36.8%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-45756
-
cpe:2.3:a:sensiolabs:symfony:7.3.0
-
cpe:2.3:a:sensiolabs:symfony:7.3.1
-
cpe:2.3:a:sensiolabs:symfony:7.3.10
-
cpe:2.3:a:sensiolabs:symfony:7.3.11
-
cpe:2.3:a:sensiolabs:symfony:7.3.2
-
cpe:2.3:a:sensiolabs:symfony:7.3.3
-
cpe:2.3:a:sensiolabs:symfony:7.3.4
-
cpe:2.3:a:sensiolabs:symfony:7.3.5
-
cpe:2.3:a:sensiolabs:symfony:7.3.6
-
cpe:2.3:a:sensiolabs:symfony:7.3.7
-
cpe:2.3:a:sensiolabs:symfony:7.3.8
-
cpe:2.3:a:sensiolabs:symfony:7.3.9
-
cpe:2.3:a:sensiolabs:symfony:7.4.0
-
cpe:2.3:a:sensiolabs:symfony:7.4.1
-
cpe:2.3:a:sensiolabs:symfony:7.4.10
-
cpe:2.3:a:sensiolabs:symfony:7.4.11
-
cpe:2.3:a:sensiolabs:symfony:7.4.2
-
cpe:2.3:a:sensiolabs:symfony:7.4.3
-
cpe:2.3:a:sensiolabs:symfony:7.4.4
-
cpe:2.3:a:sensiolabs:symfony:7.4.5
-
cpe:2.3:a:sensiolabs:symfony:7.4.6
-
cpe:2.3:a:sensiolabs:symfony:7.4.7
-
cpe:2.3:a:sensiolabs:symfony:7.4.8
-
cpe:2.3:a:sensiolabs:symfony:7.4.9
-
cpe:2.3:a:sensiolabs:symfony:8.0.0
-
cpe:2.3:a:sensiolabs:symfony:8.0.1
-
cpe:2.3:a:sensiolabs:symfony:8.0.10
-
cpe:2.3:a:sensiolabs:symfony:8.0.11
-
cpe:2.3:a:sensiolabs:symfony:8.0.2
-
cpe:2.3:a:sensiolabs:symfony:8.0.3
-
cpe:2.3:a:sensiolabs:symfony:8.0.4
-
cpe:2.3:a:sensiolabs:symfony:8.0.5
-
cpe:2.3:a:sensiolabs:symfony:8.0.6
-
cpe:2.3:a:sensiolabs:symfony:8.0.7
-
cpe:2.3:a:sensiolabs:symfony:8.0.8
-
cpe:2.3:a:sensiolabs:symfony:8.0.9