CVE-2026-45304
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.1
CVSS
7.5
High
EPSS
0.8%
p53
KEV
—
Exploit Today
16
0-100
Published: Jul 14, 2026 · Last modified: Jul 15, 2026 · CWE-776
0.8%EPSS · 30 days0.8%
2026-07-152026-07-16
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, Symfony\Component\Yaml\Parser resolved YAML collection aliases recursively, allowing a small untrusted YAML input to expand into a multi-gigabyte structure and exhaust memory. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
- github.comhttps://github.com/symfony/symfony/commit/e77391b2e4f18821198f010d573674c8ed4a970a
- github.comhttps://github.com/symfony/symfony/releases/tag/v5.4.52
- github.comhttps://github.com/symfony/symfony/releases/tag/v6.4.40
- github.comhttps://github.com/symfony/symfony/releases/tag/v7.4.12
- github.comhttps://github.com/symfony/symfony/releases/tag/v8.0.12
- github.comhttps://github.com/symfony/symfony/security/advisories/GHSA-4qpc-3hr4-r2p4
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-331167.5 HIG80.0%
——24Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.2dCVE-2026-261717.5 HIG75.4%
——23Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.2dCVE-2026-262787.5 HIG52.8%
——16fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.14hCVE-2026-451337.5 HIG48.7%
——15Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, when the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.1dCVE-2026-416737.5 HIG46.7%
——14xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.2dCVE-2026-290747.5 HIG45.3%
——14SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.2d