-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 27 May 2026 19:56:10 +0200 Source: symfony Architecture: source Version: 6.4.41+dfsg-0+deb13u1 Distribution: trixie-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: David Prévot Changes: symfony (6.4.41+dfsg-0+deb13u1) trixie-security; urgency=medium . [ Fabien Potencier ] * Update VERSION for 6.4.41 . [ Nicolas Grekas ] * [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces in URLs [CVE-2026-45064] * [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077] * [Yaml] Bound recursion depth in the parser [CVE-2026-45133] * [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072] * [Cache] Validate the prefix given to AbstractAdapter::clear() [CVE-2026-45073] * [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304] * [Yaml] Harden the Parser::cleanup() regexes against catastrophic backtracking [CVE-2026-45305] * [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING'] [CVE-2026-46626] * [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient [CVE-2026-48736] * [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS [CVE-2026-48736] * [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace in URLs [CVE-2026-48760] * [HtmlSanitizer] Sanitize URL attributes on , ,