CVE-2026-45065

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.25

Description The UrlGenerator class, used by Twig path() and url() helpers, fails to properly anchor regular expressions when validating path parameters that use alternations. The validation pattern is constructed as '#^'.$req.'$#', which causes the ^ and $ anchors to apply only to the first and last alternatives. This allows values containing any of the middle alternatives to be accepted as valid. For example, a value like /evil.com could satisfy a requirement containing vi, resulting in the generation of a protocol-relative URL that redirects the browser to an external site.

Recommendations Update to version 5.4.25 or later.