IsItPatchedInstant security status for any software version
← All products

CVE-2019-10913

CRITICAL severity · CVSS 9.8 · Cross-site scripting (XSS)
9.8CVSS CRITICAL

Summary

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)0%

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Symfony

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec ↗

Additional information

Last checked: Wed, 10 Jun 2026 22:18:30 UTC