Vulnerable Library - giauphan/goutte-v1.2
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (giauphan/goutte-v1.2 version) |
Remediation Possible** |
| CVE-2026-45070 |
 Medium |
6.5 |
symfony/mime-v7.1.6 |
Transitive |
N/A* |
❌ |
| CVE-2026-45067 |
Medium |
6.5 |
symfony/mime-v7.1.6 |
Transitive |
N/A* |
❌ |
| CVE-2026-46644 |
Medium |
5.8 |
symfony/polyfill-intl-idn-v1.31.0 |
Transitive |
N/A* |
❌ |
| CVE-2026-45071 |
Medium |
4.3 |
symfony/dom-crawler-v7.1.6 |
Transitive |
N/A* |
❌ |
| CVE-2024-50342 |
 Low |
3.1 |
symfony/http-client-v7.1.7 |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-45070
Vulnerable Library - symfony/mime-v7.1.6
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/caa1e521edb2650b8470918dfe51708c237f0598
Dependency Hierarchy:
- giauphan/goutte-v1.2 (Root Library)
- ❌ symfony/mime-v7.1.6 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (symfony/symfony@e62ea21) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-27
URL: CVE-2026-45070
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.10,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38
Step up your Open Source Security Game with Mend here
CVE-2026-45067
Vulnerable Library - symfony/mime-v7.1.6
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/caa1e521edb2650b8470918dfe51708c237f0598
Dependency Hierarchy:
- giauphan/goutte-v1.2 (Root Library)
- ❌ symfony/mime-v7.1.6 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (symfony/symfony@dc2dbd2) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-27
URL: CVE-2026-45067
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.10
Step up your Open Source Security Game with Mend here
CVE-2026-46644
Vulnerable Library - symfony/polyfill-intl-idn-v1.31.0
Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
Library home page: https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/c36586dcf89a12315939e00ec9b4474adcb1d773
Dependency Hierarchy:
- giauphan/goutte-v1.2 (Root Library)
- symfony/mime-v7.1.6
- ❌ symfony/polyfill-intl-idn-v1.31.0 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "symfony/polyfill-intl-idn" provides a userland implementation of "idn_to_utf8()" and "idn_to_ascii()" for runtimes that lack the "intl" extension. Its "Idn::process()" method decodes labels prefixed with "xn--" using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point. As a consequence, "xn--" labels whose Punycode payload is empty ("xn--") or decodes to a string made of only ASCII code points (e.g. "xn--kc1zs4-") are accepted by the polyfill while PHP's native "ext-intl" rejects them with "IDNA_ERROR_INVALID_ACE_LABEL". Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224). Example with "IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII": | Input | Polyfill output | Native "ext-intl" output | | --- | --- | --- | | "poc.xn--kc1zs4-.com" | "poc.kc1zs4.com" | "false" ("errors=1024") | | "poc.kc1zs4.xn--" | "poc.kc1zs4." | "false" ("errors=1024") | Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency. Resolution "Idn::process()" now records "IDNA_ERROR_INVALID_ACE_LABEL" when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native "ext-intl" behaviour and UTS #46 revision 33. The patch for this issue is available "here" (symfony/polyfill@1be936e) for branch 1.x. Credits Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-05-28
URL: CVE-2026-46644
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2xf4-cg6j-vhgq
Release Date: 2026-05-28
Fix Resolution: symfony/polyfill-intl-idn - v1.38.1,symfony/polyfill - v1.38.1
Step up your Open Source Security Game with Mend here
CVE-2026-45071
Vulnerable Library - symfony/dom-crawler-v7.1.6
Eases DOM navigation for HTML and XML documents
Library home page: https://api.github.com/repos/symfony/dom-crawler/zipball/794ddd5481ba15d8a04132c95e211cd5656e09fb
Dependency Hierarchy:
- giauphan/goutte-v1.2 (Root Library)
- ❌ symfony/dom-crawler-v7.1.6 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description "symfony/dom-crawler" provides the "Crawler" class for navigating HTML/XML documents with CSS/XPath selectors; "symfony/browser-kit"'s "HttpBrowser" uses it to parse fetched pages. "Crawler::addXmlContent()" sets "DOMDocument::$validateOnParse = true" before calling "loadXML()". Setting "validateOnParse" re-enables libxml's DTD subset processing, including external entity resolution, even though "LIBXML_NONET" is passed. "LIBXML_NONET" blocks network fetches but not "file://" entities. An attacker-supplied XML document with a "SYSTEM "file:///etc/passwd"" entity is therefore expanded. Resolution The "Crawler::addXmlContent" method does not set the "validateOnParse" flag anymore. The patch for this issue is available "here" (symfony/symfony@eea5fd7) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-27
URL: CVE-2026-45071
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v7.4.12
Step up your Open Source Security Game with Mend here
CVE-2024-50342
Vulnerable Library - symfony/http-client-v7.1.7
Provides powerful methods to fetch HTTP resources synchronously or asynchronously
Library home page: https://api.github.com/repos/symfony/http-client/zipball/90ab2a4992dcf5d1f19a9b8737eba36a7c305fd0
Dependency Hierarchy:
- giauphan/goutte-v1.2 (Root Library)
- ❌ symfony/http-client-v7.1.7 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the "NoPrivateNetworkHttpClient", some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the "NoPrivateNetworkHttpClient" now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50342
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9c3x-r3wp-mgxm
Release Date: 2024-11-06
Fix Resolution: symfony/http-client - v7.1.8,symfony/http-client - v6.4.15,symfony/http-client - v5.4.47,symfony/symfony - v7.1.8,symfony/symfony - v5.4.47,symfony/symfony - v6.4.15
Step up your Open Source Security Game with Mend here
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - symfony/mime-v7.1.6
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/caa1e521edb2650b8470918dfe51708c237f0598
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "Symfony\Component\Mime\Header\ParameterizedHeader" (and the related parameter handling reachable from "Symfony\Component\Mime\Header\Headers") is responsible for serializing structured headers such as "Content-Type" and "Content-Disposition", which carry "key=value" parameters (e.g. "Content-Disposition: attachment; filename="x""). RFC 2045 / RFC 5322 require parameter names to be "tokens": a restricted ASCII subset that excludes whitespace, CR/LF, and the "tspecials" set. Symfony's parameter handling validates and properly encodes parameter values, but does not validate parameter names: the supplied name is emitted verbatim into the serialized header. A caller that derives a parameter name from untrusted input, e.g. an application that lets a user influence a "Content-Disposition" parameter name, can include "\r\n" or other non-token bytes inside the name, terminating the current header and injecting additional headers in the rendered message. This is the classic CRLF / header-injection primitive applied to the parameter-name slot. Resolution "ParameterizedHeader" now rejects parameter names that contain bytes outside the RFC "token" character class. The patch for this issue is available "here" (symfony/symfony@e62ea21) for branch 5.4. Credits Symfony would like to thank Fabian Fleischer for reporting the issue and Alexandre Daubois for fixing it.
Publish Date: 2026-05-27
URL: CVE-2026-45070
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v7.4.10,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/mime-v7.1.6
Allows manipulating MIME messages
Library home page: https://api.github.com/repos/symfony/mime/zipball/caa1e521edb2650b8470918dfe51708c237f0598
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "Symfony\Component\Mime\Address" is the value-object every Symfony Mailer address (to/cc/bcc/from/reply-to) flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email addresses whose local-part (the part before "@") is an RFC-5322 quoted string containing raw "\r\n" bytes, e.g. ""x\r\nBcc: attacker@evil"@example.com". The stored address is later emitted verbatim into (1) the rendered message headers and (2) "SmtpTransport"'s "MAIL FROM:<...>" / "RCPT TO:<...>" protocol lines, turning the embedded CRLF into a new mail header and/or a new SMTP command. Resolution The "Address" constructor now rejects addresses containing line breaks. The patch for this issue is available "here" (symfony/symfony@dc2dbd2) for branch 5.4. Credits We would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-27
URL: CVE-2026-45067
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v8.0.10,https://github.com/symfony/symfony.git - v6.4.38,https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v7.4.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/polyfill-intl-idn-v1.31.0
Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
Library home page: https://api.github.com/repos/symfony/polyfill-intl-idn/zipball/c36586dcf89a12315939e00ec9b4474adcb1d773
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "symfony/polyfill-intl-idn" provides a userland implementation of "idn_to_utf8()" and "idn_to_ascii()" for runtimes that lack the "intl" extension. Its "Idn::process()" method decodes labels prefixed with "xn--" using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point. As a consequence, "xn--" labels whose Punycode payload is empty ("xn--") or decodes to a string made of only ASCII code points (e.g. "xn--kc1zs4-") are accepted by the polyfill while PHP's native "ext-intl" rejects them with "IDNA_ERROR_INVALID_ACE_LABEL". Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224). Example with "IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII": | Input | Polyfill output | Native "ext-intl" output | | --- | --- | --- | | "poc.xn--kc1zs4-.com" | "poc.kc1zs4.com" | "false" ("errors=1024") | | "poc.kc1zs4.xn--" | "poc.kc1zs4." | "false" ("errors=1024") | Applications using the polyfill to canonicalise or compare hostnames inherit the inconsistency. Resolution "Idn::process()" now records "IDNA_ERROR_INVALID_ACE_LABEL" when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native "ext-intl" behaviour and UTS #46 revision 33. The patch for this issue is available "here" (symfony/polyfill@1be936e) for branch 1.x. Credits Symfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-05-28
URL: CVE-2026-46644
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2xf4-cg6j-vhgq
Release Date: 2026-05-28
Fix Resolution: symfony/polyfill-intl-idn - v1.38.1,symfony/polyfill - v1.38.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/dom-crawler-v7.1.6
Eases DOM navigation for HTML and XML documents
Library home page: https://api.github.com/repos/symfony/dom-crawler/zipball/794ddd5481ba15d8a04132c95e211cd5656e09fb
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description "symfony/dom-crawler" provides the "Crawler" class for navigating HTML/XML documents with CSS/XPath selectors; "symfony/browser-kit"'s "HttpBrowser" uses it to parse fetched pages. "Crawler::addXmlContent()" sets "DOMDocument::$validateOnParse = true" before calling "loadXML()". Setting "validateOnParse" re-enables libxml's DTD subset processing, including external entity resolution, even though "LIBXML_NONET" is passed. "LIBXML_NONET" blocks network fetches but not "file://" entities. An attacker-supplied XML document with a "SYSTEM "file:///etc/passwd"" entity is therefore expanded. Resolution The "Crawler::addXmlContent" method does not set the "validateOnParse" flag anymore. The patch for this issue is available "here" (symfony/symfony@eea5fd7) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-05-27
URL: CVE-2026-45071
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v7.4.12
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-client-v7.1.7
Provides powerful methods to fetch HTTP resources synchronously or asynchronously
Library home page: https://api.github.com/repos/symfony/http-client/zipball/90ab2a4992dcf5d1f19a9b8737eba36a7c305fd0
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the "NoPrivateNetworkHttpClient", some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the "NoPrivateNetworkHttpClient" now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50342
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9c3x-r3wp-mgxm
Release Date: 2024-11-06
Fix Resolution: symfony/http-client - v7.1.8,symfony/http-client - v6.4.15,symfony/http-client - v5.4.47,symfony/symfony - v7.1.8,symfony/symfony - v5.4.47,symfony/symfony - v6.4.15
Step up your Open Source Security Game with Mend here