CVE-2026-48784

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained ../ or ./ → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Description

Symfony\Component\Routing\Generator\UrlGenerator::doGenerate() percent-encodes . and .. path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal (which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients — perform *before* percent-decoding).

The encoding was implemented as strtr($url, ['/../' => '/%2E%2E/', '/./' => '/%2E/']) plus a trailing-segment fixup. strtr advances past the trailing / of each match, so the next dot-segment in a chained sequence was left unescaped:

| Input | Output (before fix) | Expected | | -------------------- | ---------------------------------------- | ----------------------------------- | | /../../../ | /%2E%2E/../%2E%2E/ | /%2E%2E/%2E%2E/%2E%2E/ | | /foo/../../../bar | /foo/%2E%2E/../%2E%2E/bar | /foo/%2E%2E/%2E%2E/%2E%2E/bar |

When a route exposes a parameter constrained by a permissive requirement (.+, .*, or similar) that accepts dots and slashes, attacker-controlled chained .. or . segments produce a generated URL that, under strict RFC 3986 normalization, collapses to a different path than the originating route. The Twig path() / url() helpers and any server-side use of UrlGenerator are affected. Same class of route round-trip integrity issue as CVE-2026-45065.

Note: WHATWG-conformant browsers treat %2E/%2E%2E as dot-segments during URL parsing, so the encoding never protected browser-side traversal. The defense exists for RFC-3986-conformant consumers; restoring it for chained segments closes the gap there.

Resolution

UrlGenerator now matches every /. or /.. dot-segment in a single left-to-right preg_replace_callback pass using a lookahead that does not consume the trailing /, so adjacent dot-segments are encoded correctly.

The patches for this issue are available here for branch 5.4 (and forward-ported to 6.4, 7.4, 8.0 and 8.1).

Credits

Symfony would like to thank Alex Pott for reporting the issue and Nicolas Grekas for providing the fix.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

June 15, 2026

Last Modified

June 15, 2026

Vendor Advisories for CVE-2026-48784(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(2 across 1 ecosystem)
Packagist(2)
PackageVulnerable rangeFixed inDependents
symfony/routingv8.0.0 ... v8.0.9 (8 versions)8.0.13
symfony/symfonyv8.0.0 ... v8.0.9 (13 versions)8.0.13

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-15 17:45 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-48784?
CVE-2026-48784 is a medium vulnerability published on June 15, 2026. Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained ../ or ./ → Generated URL Collapses Off-Route Under RFC 3986 Normalization Description Symfony\Component\Routing\Generator\UrlGenerator::doGenerate() percent-encodes . and .. path segments so that the generated URL still resolves…
When was CVE-2026-48784 disclosed?
CVE-2026-48784 was first published in the National Vulnerability Database on June 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-48784?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48784, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48784

Explore →

Is Your Infrastructure Affected by CVE-2026-48784?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.