Vulnerable Library - symfony/cache-v8.0.1
Provides extended PSR-6, PSR-16 (and tags) implementations
Library home page: https://api.github.com/repos/symfony/cache/zipball/0e67dc8145810d4e1c0d13c0e1d29ceb930b1c8e
Found in HEAD commit: 45fd85ad85cccc095b1d85471b9b73160b3006a7
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-45073
Vulnerable Library - symfony/cache-v8.0.1
Provides extended PSR-6, PSR-16 (and tags) implementations
Library home page: https://api.github.com/repos/symfony/cache/zipball/0e67dc8145810d4e1c0d13c0e1d29ceb930b1c8e
Dependency Hierarchy:
- ❌ symfony/cache-v8.0.1 (Vulnerable Library)
Found in HEAD commit: 45fd85ad85cccc095b1d85471b9b73160b3006a7
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Cache\Adapter\PdoAdapter" is the PDO-backed cache adapter. Its "clear($prefix)" method (inherited from "AbstractAdapterTrait") is documented to delete cache items whose key starts with "$prefix". In the non-versioning code path, the caller-supplied "$prefix" is concatenated into "$namespace = $this->namespace.$prefix" and passed to "PdoAdapter::doClear()", which builds: DELETE FROM
WHERE <id_col> LIKE '%' The value is interpolated directly into the SQL text and executed with "PDO::exec()": "$namespace" is not bound. A caller able to influence "$prefix" can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics. Most applications don't expose "clear($prefix)" to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself. Resolution "AbstractAdapterTrait::clear()" now rejects any "$prefix" containing characters outside "[-+.A-Za-z0-9]": when an invalid prefix is supplied, the method logs a warning and returns "false" instead of reaching the SQL layer. This blocks quotes, "%", null bytes and other characters that would let an attacker break out of the "LIKE" literal. The patch for this issue is available "here" (symfony/symfony@ec50b79) for branch 5.4. Credits Symfony would like to thank secsys_codex for reporting the issue and Nicolas Grekas for fixing it.
Publish Date: 2026-05-27
URL: CVE-2026-45073
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v6.4.40
Step up your Open Source Security Game with Mend here
Provides extended PSR-6, PSR-16 (and tags) implementations
Library home page: https://api.github.com/repos/symfony/cache/zipball/0e67dc8145810d4e1c0d13c0e1d29ceb930b1c8e
Found in HEAD commit: 45fd85ad85cccc095b1d85471b9b73160b3006a7
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - symfony/cache-v8.0.1
Provides extended PSR-6, PSR-16 (and tags) implementations
Library home page: https://api.github.com/repos/symfony/cache/zipball/0e67dc8145810d4e1c0d13c0e1d29ceb930b1c8e
Dependency Hierarchy:
Found in HEAD commit: 45fd85ad85cccc095b1d85471b9b73160b3006a7
Found in base branch: develop
Vulnerability Details
Description "Symfony\Component\Cache\Adapter\PdoAdapter" is the PDO-backed cache adapter. Its "clear($prefix)" method (inherited from "AbstractAdapterTrait") is documented to delete cache items whose key starts with "$prefix". In the non-versioning code path, the caller-supplied "$prefix" is concatenated into "$namespace = $this->namespace.$prefix" and passed to "PdoAdapter::doClear()", which builds: DELETE FROM
WHERE <id_col> LIKE '%' The value is interpolated directly into the SQL text and executed with "PDO::exec()": "$namespace" is not bound. A caller able to influence "$prefix" can break out of the literal and inject SQL, expanding deletion scope from the intended prefix to arbitrary rows, or otherwise reshape query semantics. Most applications don't expose "clear($prefix)" to untrusted input directly, but the contract of the method is to safely accept any prefix string, so the lack of escaping is a defect of the adapter itself. Resolution "AbstractAdapterTrait::clear()" now rejects any "$prefix" containing characters outside "[-+.A-Za-z0-9]": when an invalid prefix is supplied, the method logs a warning and returns "false" instead of reaching the SQL layer. This blocks quotes, "%", null bytes and other characters that would let an attacker break out of the "LIKE" literal. The patch for this issue is available "here" (symfony/symfony@ec50b79) for branch 5.4. Credits Symfony would like to thank secsys_codex for reporting the issue and Nicolas Grekas for fixing it.Publish Date: 2026-05-27
URL: CVE-2026-45073
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v6.4.40
Step up your Open Source Security Game with Mend here