Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

Project Subscriptions

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6312-1 symfony security update
Github GHSA Github GHSA GHSA-64hg-93w9-fc35 Symfony's Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 14 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
Description Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST requests to inject forged Mailjet and LOX24 event payloads. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Title Symfony: Mailjet Mailer Webhook Parser Never Verifies the Configured Secret — Unauthenticated Webhook Event Injection
Weaknesses CWE-287
CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-14T18:54:24.337Z

Reserved: 2026-05-13T06:54:34.221Z

Link: CVE-2026-45754

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses