PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45070 Sensiolabs CVE debrief

The CVE record for CVE-2026-45070 was published on 2026-07-14T19:17:06.147Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects Symfony framework versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, allowing for potential header injection attacks through the ParameterizedHeader component. Users of these versions should apply patches to prevent potential header injection attacks. The vulnerability has a CVSS score of 6.3 and is classified as MEDIUM severity.

Vendor
Sensiolabs
Product
Symfony
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Users of Symfony framework versions prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12 should apply patches to prevent potential header injection attacks. This includes operators, platform administrators, vulnerability management teams, and security teams who manage or use Symfony-based applications.

Technical summary

Symfony's ParameterizedHeader component validates and encodes parameter values but emits parameter names verbatim. This allows a caller with untrusted input to inject additional headers into structured mail headers like Content-Type or Content-Disposition. Fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The vulnerability has a CVSS score of 6.3 and is classified as MEDIUM severity. Users should review and validate input to ParameterizedHeader to prevent potential header injection.

Defensive priority

Medium priority due to potential for header injection attacks.

Recommended defensive actions

  • Apply patches to upgrade Symfony to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12.
  • Review and validate input to ParameterizedHeader to prevent potential header injection.
  • Monitor for suspicious activity related to structured mail headers.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

Official CVE and NVD records confirm the vulnerability and provide patch information. Limited additional source detail available. The CVE record was published on 2026-07-14T19:17:06.147Z and has not been modified since then. The NVD entry is currently Analyzed. Users should verify their deployments and apply patches accordingly.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T19:17:06.147Z and has not been modified since then. The NVD entry is currently Analyzed.