All CVEs shipped in the coordinated release of v5.4.x / v6.4.40 / v7.4.12 / v8.0.12 on May 20, 2026. CVE numbers and descriptions are sourced from the v8.0.12 release notes. SA links are sourced from the Symfony security advisories blog.
| CVE | Component | Impact | SA report | Fix commit | Branches |
|---|---|---|---|---|---|
| CVE-2026-46626 | [Runtime] | CVE-2024-50340 patch bypass: web requests can still set APP_ENV/APP_DEBUG via parse_str/SAPI argv mismatch |
SA | 3228c3806e | 5.4+ |
| CVE-2026-47212 | [Notifier/Twilio] | Twilio webhook parser never verifies the X-Twilio-Signature HMAC: unauthentica |