CVE-2026-45754

Name of the Vulnerable Software and Affected Versions Symfony Webhook Bridges versions prior to 6.4 Symfony Webhook Bridges versions prior to 7.4

Description The Mailjet mailer bridge and the LOX24 SMS notifier bridge contain webhook request parsers that fail to authenticate event callbacks. The doParse(Request $request, #[SensitiveParameter] string $secret) methods receive a configured webhook secret but do not utilize it, returning the payload unconditionally. This allows an attacker to submit forged event payloads to the webhook endpoint, potentially leading to delivery-metrics fraud or suppression-list corruption.

Recommendations Update to version 6.4 or later to fix the Mailjet bridge by ensuring MailjetRequestParser::doParse() validates HTTP Basic credentials using a constant-time comparison. Update to version 7.4 or later to fix the LOX24 bridge by ensuring Lox24RequestParser::doParse() validates the X-LOX24-Token HTTP header against the configured secret.