CVE-2026-48736

Source
https://cve.org/CVERecord?id=CVE-2026-48736
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48736.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48736
Aliases
Downstream
Related
Published
2026-07-14T19:09:30.260Z
Modified
2026-07-17T03:47:04.722055195Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVSS Calculator
Summary
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowing attacker-supplied URLs to represent private IPv4 targets in forms that IpUtils::isPrivateIp() did not block. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.

Database specific
{
    "cwe_ids": [
        "CWE-184",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48736.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type
GIT
Repo
https://github.com/symfony/security-http
Events
Database specific
{
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.4.0"
        },
        {
            "fixed": "5.4.43"
        },
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.4.41"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.13"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.13"
        }
    ],
    "source": "CPE_RANGE"
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Database specific
{
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.4.0"
        },
        {
            "fixed": "5.4.43"
        },
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.4.41"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.4.13"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.13"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v5.*
v5.4.0
v5.4.1
v5.4.10
v5.4.11
v5.4.12
v5.4.13
v5.4.14
v5.4.15
v5.4.16
v5.4.17
v5.4.18
v5.4.19
v5.4.2
v5.4.20
v5.4.21
v5.4.22
v5.4.23
v5.4.24
v5.4.25
v5.4.26
v5.4.27
v5.4.28
v5.4.29
v5.4.3
v5.4.30
v5.4.31
v5.4.32
v5.4.33
v5.4.34
v5.4.35
v5.4.36
v5.4.37
v5.4.38
v5.4.39
v5.4.4
v5.4.40
v5.4.41
v5.4.42
v5.4.43
v5.4.44
v5.4.45
v5.4.46
v5.4.47
v5.4.48
v5.4.49
v5.4.5
v5.4.50
v5.4.51
v5.4.52
v5.4.6
v5.4.7
v5.4.8
v5.4.9
v6.*
v6.4.0
v6.4.0-RC2
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.17
v6.4.18
v6.4.19
v6.4.2
v6.4.20
v6.4.21
v6.4.22
v6.4.23
v6.4.24
v6.4.25
v6.4.26
v6.4.27
v6.4.28
v6.4.29
v6.4.3
v6.4.30
v6.4.31
v6.4.32
v6.4.33
v6.4.34
v6.4.35
v6.4.36
v6.4.37
v6.4.38
v6.4.39
v6.4.4
v6.4.40
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v7.*
v7.0.0
v7.0.0-RC2
v7.0.1
v7.1.0
v7.1.0-BETA1
v7.1.0-RC1
v7.2.0
v7.2.0-BETA1
v7.2.0-BETA2
v7.2.0-RC1
v7.2.1
v7.3.0
v7.3.0-BETA1
v7.3.0-BETA2
v7.3.0-RC1
v7.4.0
v7.4.0-BETA1
v7.4.0-RC1
v7.4.0-RC2
v7.4.1
v7.4.11
v7.4.12
v7.4.3
v7.4.4
v7.4.6
v7.4.8
v7.4.9
v8.*
v8.0.0
v8.0.1
v8.0.10
v8.0.11
v8.0.12
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.0.8
v8.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48736.json"