CIVI-PSA-2026-02 Symfony

Published
2026-05-30 11:29
Written by

On May 20–27, 2026, Symfony published 36 security advisories alongside security releases for Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12, and Twig 3.26.0. The CiviCRM security team has reviewed these advisories and assessed their impact on CiviCRM. The security team has determined that these advisories have low to no impact on CiviCRM.

Background: How CiviCRM Uses Symfony

CiviCRM uses several Symfony components — primarily symfony/event-dispatcher and related utilities — as documented in the developer guide. These components are narrower in scope than a full Symfony application stack, which limits exposure to many of the advisories in this batch.

Assessment

The CiviCRM security team reviewed the advisories. The majority of the high- and critical-severity issues target either the Twig sandbox or Symfony components that CiviCRM does not use (such as symfony/html-sanitizer, NoPrivateNetworkHttpClient, and Symfony Mailer webhook parsers).

The full list of advisories is available at: https://symfony.com/blog/category/security-advisories https://symfony.com/blog/a-week-of-symfony-1012-may-18-24-2026

What should site administrators do?

No action is required if you are using CiviCRM in Standalone, Backdrop, WordPress. Drupal 9/10/11 sites should follow advice from Drupal. CiviCRM will incorporate updated Symfony dependencies in upcoming scheduled releases following its normal process and the next Extended Security Release(ESR).

Security Risk
Not Critical
Vulnerability
Other
Affected Versions

CiviCRM v6.14.1 and earlier

Fixed Versions

CiviCRM v6.15.0

Publication Date
Solutions

Update to CiviCRM 6.15 in June

Credits

Dave D, Kevin Cristiano of Tadpole Collective, Coleman Watts of CiviCRM Core, Seamus lee of JMA Consulting