PT-2026-43392 · Symfony · Polyfill-Intl-Idn

CVE-2026-46644

·

Published

2026-05-26

·

Updated

2026-07-14

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions symfony/polyfill-intl-idn versions prior to 1.x
Description The Idn::process() function fails to enforce the validity criterion defined in UTS #46 revision 33 Section 4 step 4.1.2. Specifically, it does not verify that a label prefixed with xn-- contains at least one non-ASCII code point after Punycode decoding. This results in the acceptance of labels with empty Punycode payloads or those that decode only to ASCII characters, which are normally rejected by the native PHP ext-intl extension with an IDNA ERROR INVALID ACE LABEL error. This inconsistency in hostname canonicalization and comparison can lead to server-side request forgery, inconsistent URL parsing, and the bypassing of blacklists.
Recommendations Update to the patched version of the 1.x branch. As a temporary workaround, restrict the use of the Idn::process() function for validating or comparing hostnames until the update is applied.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46644
GHSA-2XF4-CG6J-VHGQ

Affected Products

Polyfill-Intl-Idn