PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47767 Sensiolabs CVE debrief

A high-severity vulnerability was found in Symfony, a PHP framework for web and console applications. The issue, tracked as CVE-2026-47767, allows attackers to execute code via crafted query strings. It exists in versions 5.4.46 through 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The vulnerability is caused by a disagreement between parse_str() and the web SAPI, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue has significant implications for applications that handle user-input data or expose sensitive information, emphasizing the need for immediate attention and mitigation.

Vendor
Sensiolabs
Product
Symfony
CVSS
HIGH 8.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Developers and administrators using Symfony versions 5.4.46 through 5.4.52, 6.4.40, 7.4.12, and 8.0.12 should be aware of this vulnerability. This issue is particularly concerning for applications that handle user-input data or expose sensitive information, as it could lead to code execution. Operators, platform administrators, and security teams need to assess their exposure and implement mitigations or patches as necessary.

Technical summary

The CVE-2026-47767 vulnerability in Symfony arises from the CVE-2024-50340 fix, which gated runtime argv parsing on empty($_GET). However, parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue has been fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The technical impact is significant as it allows for potential code execution through crafted query strings, emphasizing the need for prompt patching and review of user-input handling.

Defensive priority

High

Recommended defensive actions

  • Update Symfony to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12
  • Review and validate user-input data
  • Implement additional security measures to monitor and restrict changes to APP_ENV and APP_DEBUG
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-14T19:17:09.237Z and was last modified on 2026-07-16T15:16:31.723Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify official Symfony documentation and vendor advisories for detailed mitigation guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T19:17:09.237Z and has not been modified since then. The NVD entry is currently Analyzed.