CVE-2026-24739 [Medium] | Security Vulnerability in Symfony

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-29	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-29

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.3	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.0	5.2	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.3

3.1

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.0

5.2

[email protected]

OS Trackers for CVE-2026-24739

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-24739 unimportant priority: Debian including 1 source packages (symfony), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-24739

Affected software / configurations for CVE-2026-24739

Vendor	Product	Version	Raw CPE
sensiolabs	symfony	< 5.4.51	cpe:2.3:a:sensiolabs:symfony::::::::
sensiolabs	symfony	>= 6.4.0, < 6.4.33	cpe:2.3:a:sensiolabs:symfony::::::::
sensiolabs	symfony	>= 7.3.0, < 7.3.11	cpe:2.3:a:sensiolabs:symfony::::::::
sensiolabs	symfony	>= 7.4.0, < 7.4.5	cpe:2.3:a:sensiolabs:symfony::::::::
sensiolabs	symfony	>= 8.0.0, < 8.0.5	cpe:2.3:a:sensiolabs:symfony::::::::

References for CVE-2026-24739

URL	Tags
https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3	Patch
https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b	Patch
https://github.com/symfony/symfony/issues/62921	Exploit Issue Tracking Patch
https://github.com/symfony/symfony/pull/63164	Issue Tracking
https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6	Patch Vendor Advisory

URL

CVE-2026-24739 | Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations

Public exploit references (Exploit-DB) for CVE-2026-24739

Exploit prediction scoring system (EPSS) score for CVE-2026-24739

Common vulnerability scoring system (CVSS) metrics for CVE-2026-24739

Weakness enumeration for CVE-2026-24739

GitHub Security Advisory for CVE-2026-24739

OS Trackers for CVE-2026-24739

Affected software / configurations for CVE-2026-24739

References for CVE-2026-24739