Argument injection in a MimeTypeGuesser in Symfony

Invalid HTTP method overrides allow possible XSS or other attacks in Symfony

Symfony Path Disclosure

Symfony Authentication Bypass

Symphony Denial of Service Via Overlong Usernames

Improper Input Validation in Symfony

Deserialization of untrusted data in Symfony

CSRF token missing in Symfony

Authentication granted to all firewalls instead of just one

Symfony Open Redirect

Symfony DoS

Cookie persistence after password changes in symfony/security-bundle

Symfony Incorrect Access Control

Symfony collectionCascaded and collectionCascadedDeeply fields security bypass

Symfony Http-Kernel has non-constant time comparison in UriSigner

Symfony Incorrect Access Control

Webcache Poisoning in symfony/http-kernel

** DISPUTED ** The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar.

** DISPUTED ** Reflected Cross-site scripting (XSS) vulnerability in the web profiler in SensioLabs Symfony 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the "file" parameter, aka an _profiler/open?file= URI. NOTE: The vendor states "The XSS ... is in the web profiler, a tool that should never be deployed in production (so, we don't handle those issues as security issues)."

Prevent cache poisoning via a Response Content-Type header in Symfony