PatchSiren cyber security CVE debrief
CVE-2026-47767 Sensiolabs CVE debrief
A high-severity vulnerability was found in Symfony, a PHP framework for web and console applications. The issue, tracked as CVE-2026-47767, allows attackers to execute code via crafted query strings. It exists in versions 5.4.46 through 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The vulnerability is caused by a disagreement between parse_str() and the web SAPI, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue has significant implications for applications that handle user-input data or expose sensitive information, emphasizing the need for immediate attention and mitigation.
- Vendor
- Sensiolabs
- Product
- Symfony
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Developers and administrators using Symfony versions 5.4.46 through 5.4.52, 6.4.40, 7.4.12, and 8.0.12 should be aware of this vulnerability. This issue is particularly concerning for applications that handle user-input data or expose sensitive information, as it could lead to code execution. Operators, platform administrators, and security teams need to assess their exposure and implement mitigations or patches as necessary.
Technical summary
The CVE-2026-47767 vulnerability in Symfony arises from the CVE-2024-50340 fix, which gated runtime argv parsing on empty($_GET). However, parse_str() and the web SAPI can disagree, allowing a crafted query string to leave $_GET empty while $_SERVER['argv'] still carries attacker-controlled --env or --no-debug flags that change APP_ENV or APP_DEBUG. This issue has been fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. The technical impact is significant as it allows for potential code execution through crafted query strings, emphasizing the need for prompt patching and review of user-input handling.
Defensive priority
High
Recommended defensive actions
- Update Symfony to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12
- Review and validate user-input data
- Implement additional security measures to monitor and restrict changes to APP_ENV and APP_DEBUG
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-14T19:17:09.237Z and was last modified on 2026-07-16T15:16:31.723Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify official Symfony documentation and vendor advisories for detailed mitigation guidance.
Official resources
-
CVE-2026-47767 CVE record
CVE.org
-
CVE-2026-47767 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Source reference
[email protected] - Not Applicable
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T19:17:09.237Z and has not been modified since then. The NVD entry is currently Analyzed.