CVE-2026-45754

Source
https://cve.org/CVERecord?id=CVE-2026-45754
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45754.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45754
Aliases
Downstream
Published
2026-07-14T18:54:24.337Z
Modified
2026-07-17T03:46:46.667323123Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Symfony: Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

Database specific
{
    "cwe_ids": [
        "CWE-287",
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45754.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type
GIT
Repo
https://github.com/symfony/security-http
Events
Database specific
{
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.4.40"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.12"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.12"
        }
    ],
    "source": "CPE_RANGE"
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Database specific
{
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.4.40"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.12"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.12"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v6.*
v6.4.0
v6.4.0-RC2
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.17
v6.4.18
v6.4.19
v6.4.2
v6.4.20
v6.4.21
v6.4.22
v6.4.23
v6.4.24
v6.4.25
v6.4.26
v6.4.27
v6.4.28
v6.4.29
v6.4.3
v6.4.30
v6.4.31
v6.4.32
v6.4.33
v6.4.34
v6.4.35
v6.4.36
v6.4.37
v6.4.38
v6.4.39
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v7.*
v7.0.0
v7.0.0-RC2
v7.0.1
v7.1.0
v7.1.0-BETA1
v7.1.0-RC1
v7.2.0
v7.2.0-BETA1
v7.2.0-BETA2
v7.2.0-RC1
v7.2.1
v7.3.0
v7.3.0-BETA1
v7.3.0-BETA2
v7.3.0-RC1
v7.4.0
v7.4.0-BETA1
v7.4.0-RC1
v7.4.0-RC2
v7.4.1
v7.4.11
v7.4.3
v7.4.4
v7.4.6
v7.4.8
v7.4.9
v8.*
v8.0.0
v8.0.1
v8.0.10
v8.0.11
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.0.8
v8.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45754.json"