CVE-2026-45755

Summary

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse() received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged Mailtrap delivery, bounce, open, click, or spam events. This issue is fixed in versions 7.4.12 and 8.0.12.

Affected Software

VendorProductVersion RangeStatus
symfonysymfony>= 7.2.0, < 7.4.12affected
symfonysymfony>= 8.0.0-BETA1, < 8.0.12affected
/mailtrap-mailermailtrap-mailer>= 7.2.0, < 7.4.12affected
/mailtrap-mailermailtrap-mailer>= 8.0.0-BETA1, < 8.0.12affected

Weaknesses

  • CWE-306: CWE-306: Missing Authentication for Critical Function
  • CWE-347: CWE-347: Improper Verification of Cryptographic Signature

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References