CVE-2026-45754

Summary

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

Affected Software

VendorProductVersion RangeStatus
symfonysymfony>= 6.4.0, < 6.4.40affected
symfonysymfony>= 7.0.0-BETA1, < 7.4.12affected
symfonysymfony>= 8.0.0-BETA1, < 8.0.12affected
symfonylox24-notifier>= 7.1.0-BETA1, < 7.4.12affected
symfonylox24-notifier>= 8.0.0-BETA1, < 8.0.12affected
symfonymailjet-mailer>= 6.4.0, < 6.4.40affected
symfonymailjet-mailer>= 7.0.0-BETA1, < 7.4.12affected
symfonymailjet-mailer>= 8.0.0-BETA1, < 8.0.12affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-306: CWE-306: Missing Authentication for Critical Function

References