Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-48747— Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade

AI Predicted 7.5 Difficulty: Easy EPSS 0.02% · P5

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 4

VendorProductVersion RangeStatus
symfonymailomat-mailer>= 7.2.0, < 7.4.12affected
>= 8.0.0-BETA1, < 8.0.13affected
symfonysymfony>= 7.2.0, < 7.4.12affected
>= 8.0.0-BETA1, < 8.0.13affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48747

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
Source: NVD (National Vulnerability Database)
Vulnerability Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.13 and 8.0.13, MailomatRequestParser::validateSignature() parsed X-MOM-Webhook-Signature as algo=signature and passed the request-selected algorithm to hash_hmac(), allowing a signature algorithm downgrade instead of enforcing Mailomat's documented SHA-256 webhook signature. This issue is fixed in versions 7.4.13 and 8.0.13.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
symfonysymfony >= 7.2.0, < 7.4.12 -
symfonymailomat-mailer >= 7.2.0, < 7.4.12 -

II. Public POCs for CVE-2026-48747

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48747

登录查看更多情报信息。

Patches & Fixes for CVE-2026-48747 (2)

Vendor Advisories for CVE-2026-48747 (1)

Vendor Pages for CVE-2026-48747 (1)

Same Patch Batch · symfony · 2026-07-14 · 30 CVEs total

CVE-2026-45133Symfony: [Yaml] Harden the parser when handling untrusted input
CVE-2026-46644symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only
CVE-2026-48761Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>,
CVE-2026-48736Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-c
CVE-2026-48760Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks an
CVE-2026-48489Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access t
CVE-2026-48784Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Gener
CVE-2026-47212Symfony: Twilio Notifier Webhook Parser Never Verifies the X-Twilio-Signature HMAC: Unauth
CVE-2026-45068Symfony: Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address
CVE-2026-45071Symfony: XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse =
CVE-2026-47767Symfony: SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/AP
CVE-2026-45075Symfony: HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureVali
CVE-2026-45304Symfony: YAML Parser Exponential Memory Allocation via Recursive Collection-Alias Expansio
CVE-2026-45063Symfony: Identity Spoofing via Unanchored DN Regex in X509Authenticator
CVE-2026-45070Symfony: Email Header Injection via Non-Token Characters in Mime Parameter Names
CVE-2026-45756Symfony: JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Wi
CVE-2026-45754Symfony: Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthentica
CVE-2026-45069Symfony: OidcTokenHandler Accepts JWTs Missing aud/iss/exp Claims
CVE-2026-45753Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascr
CVE-2026-45072Symfony: Stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File R

Showing top 20 of 30 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-48747

No comments yet


Leave a comment