CVE-2019-10909

MEDIUM

Symfony 2.7.0-2.7.50, 2.8.0-2.8.49, 3.0.0-3.4.25, 4.0.0-4.1.11, 4.2.0-4.2.6 - XSS in Validation Messages

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10909. PoCs published by moften.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting multiple vulnerabilities in Symfony applications, including CRLF injection, Host Header Injection, and exposed Symfony Profiler endpoints. It performs safe, non-invasive checks without attempting exploitation.

Description

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Exploits (1)

nomisec SCANNER
by moften · poc
https://github.com/moften/Symfony-CVE-Scanner-PoC-

This repository contains a Python-based scanner for detecting multiple vulnerabilities in Symfony applications, including CRLF injection, Host Header Injection, and exposed Symfony Profiler endpoints. It performs safe, non-invasive checks without attempting exploitation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Symfony (various versions)
No auth needed
Prerequisites: Network access to the target Symfony application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.4
EPSS 0.0036
EPSS Percentile 58.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (6)
drupal/core 8.0.0 - 8.5.15Packagist
drupal/drupal 8.0.0 - 8.5.15Packagist
drupal/drupal 8.5.0 - 8.5.15
sensiolabs/symfony 2.7.0 - 2.7.51
symfony/framework-bundle 2.7.0 - 2.7.51Packagist
symfony/symfony 2.7.0 - 2.7.51Packagist
Published May 16, 2019
Tracked Since Feb 18, 2026