CVE-2026-47212

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 6.4.11

Description The Twilio SMS notifier bridge contains a webhook request parser used to authenticate and decode status callbacks. The doParse(Request $request, #[SensitiveParameter] string $secret) function receives a configured webhook secret but fails to read or verify it, ignoring the X-Twilio-Signature HMAC header. This allows an attacker to submit forged POST requests to the webhook endpoint, even when a signing secret is configured, potentially leading to delivery-metrics fraud or unauthorized downstream automation triggers.

Recommendations Update to version 6.4.11 or later. For applications behind a TLS-terminating reverse proxy, configure framework.trusted proxies and framework.trusted headers to ensure Request::getUri() returns the public URL signed by Twilio.