CVE-2026-24739 — Vulnetix

CVE-2026-24739 PUBLISHED CVSS 6.300000190734863 MEDIUM

Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows

EPSS 0.01% · 1.6th percentile

Risk Scores

CVSS 3.1

6.300000190734863

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score

0.01%

1.6th percentile

Affected Products

Vendor	Product	Versions
symfony	process	8.0, 0, 6.4
sensiolabs	symfony	6.4.0, 8.0.0, 7.4.0
symfony	symfony	0, 7.3, 7.4
symfony	symfony	>= 8.0.0 , < 8.0.5, >= 7.4.0, < 7.4.5, >= 7.3.0, < 7.3.11
Symfony	Symfony

Exploit Intelligence

https://github.com/symfony/symfony/issues/62921 (nist-nvd)
CIRCL seen: CVE-2026-24739 (circl-sighting)
CIRCL seen: CVE-2026-24739 (circl-sighting)
https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3 (circl)
https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b (circl)
https://github.com/symfony/symfony/pull/63164 (circl)
https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6 (circl)
CVE-2026-24739.yml (github-poc)
CVE-2026-24739.yml (github-poc)
CVE-2026-24739.yml (github-poc)

…and 4 more exploits

Timeline

Jan 26, 2026 Fix PR Merged
Jan 28, 2026 CVE Published
Jan 28, 2026 PoC Published
Jan 28, 2026 PoC Published
Jan 29, 2026 EPSS Score
Jan 29, 2026 CVE Updated
Jan 29, 2026 Security Advisory
Jan 31, 2026 EPSS Score
Feb 3, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 8, 2026 EPSS Score
Feb 10, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›