Argument injection in a MimeTypeGuesser in Symfony

Invalid HTTP method overrides allow possible XSS or other attacks in Symfony

Symfony Path Disclosure

Symfony Authentication Bypass

Symphony Denial of Service Via Overlong Usernames

Improper Input Validation in Symfony

Deserialization of untrusted data in Symfony

CSRF token missing in Symfony

Authentication granted to all firewalls instead of just one

Symfony Open Redirect

Symfony DoS

Cookie persistence after password changes in symfony/security-bundle

Symfony vulnerable to command execution hijack on Windows with Process class

Symfony Incorrect Access Control

Symfony collectionCascaded and collectionCascadedDeeply fields security bypass

Symfony Http-Kernel has non-constant time comparison in UriSigner

Symfony Incorrect Access Control

Webcache Poisoning in symfony/http-kernel

Symfony vulnerable to open redirect via browser-sanitized URLs

** DISPUTED ** The debug handler in Symfony before v2.7.33, 2.8.x before v2.8.26, 3.x before v3.2.13, and 3.3.x before v3.3.6 has XSS via an array key during exception pretty printing in ExceptionHandler.php, as demonstrated by a /_debugbar/open?op=get URI. NOTE: the vendor's position is that this is not a vulnerability because the debug tools are not intended for production use. NOTE: the Symfony Debug component is used by Laravel Debugbar.