PatchSiren cyber security CVE debrief
CVE-2026-45070 Sensiolabs CVE debrief
The CVE record for CVE-2026-45070 was published on 2026-07-14T19:17:06.147Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects Symfony framework versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, allowing for potential header injection attacks through the ParameterizedHeader component. Users of these versions should apply patches to prevent potential header injection attacks. The vulnerability has a CVSS score of 6.3 and is classified as MEDIUM severity.
- Vendor
- Sensiolabs
- Product
- Symfony
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Users of Symfony framework versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12 should apply patches to prevent potential header injection attacks. This includes operators, platform administrators, vulnerability management teams, and security teams who manage or use Symfony-based applications.
Technical summary
Symfony's ParameterizedHeader component validates and encodes parameter values but emits parameter names verbatim. This allows a caller with untrusted input to inject additional headers into structured mail headers like Content-Type or Content-Disposition. Fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The vulnerability has a CVSS score of 6.3 and is classified as MEDIUM severity. Users should review and validate input to ParameterizedHeader to prevent potential header injection.
Defensive priority
Medium priority due to potential for header injection attacks.
Recommended defensive actions
- Apply patches to upgrade Symfony to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12.
- Review and validate input to ParameterizedHeader to prevent potential header injection.
- Monitor for suspicious activity related to structured mail headers.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
Official CVE and NVD records confirm the vulnerability and provide patch information. Limited additional source detail available. The CVE record was published on 2026-07-14T19:17:06.147Z and has not been modified since then. The NVD entry is currently Analyzed. Users should verify their deployments and apply patches accordingly.
Official resources
-
CVE-2026-45070 CVE record
CVE.org
-
CVE-2026-45070 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T19:17:06.147Z and has not been modified since then. The NVD entry is currently Analyzed.