Back to overview

CVE-2026-45755

MEDIUM
6.9
CVSS 4.0
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse() received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged Mailtrap delivery, bounce, open, click, or spam events. This issue is fixed in versions 7.4.12 and 8.0.12.

Metadata

CVE ID
CVE-2026-45755
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-13 06:54 UTC
Published
2026-07-14 18:56 UTC
Last updated
2026-07-14 19:46 UTC
Primary CWE
CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product
symfony / symfony
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (2)
VendorProductPlatformVersions
/mailtrap-mailer mailtrap-mailer >= 7.2.0, < 7.4.12, >= 8.0.0-BETA1, < 8.0.12
symfony symfony >= 7.2.0, < 7.4.12, >= 8.0.0-BETA1, < 8.0.12
Weakness (CWE)
CWESourceDescription
CWE-306 cna CWE-306: Missing Authentication for Critical Function
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References (4)
Back to overview