Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, PdoAdapter::doClear() builds a DELETE statement using a namespace derived from the caller-supplied $prefix without binding or escaping it, allowing a caller able to influence $prefix to break out of the LIKE literal and alter query semantics or deletion scope. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Debian DSA |
DSA-6312-1 | symfony security update |
Debian DSA |
DSA-6317-1 | symfony security update |
Github GHSA |
GHSA-6qh9-h6wf-jgqc | Symfony Vulnerable to SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 14 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, PdoAdapter::doClear() builds a DELETE statement using a namespace derived from the caller-supplied $prefix without binding or escaping it, allowing a caller able to influence $prefix to break out of the LIKE literal and alter query semantics or deletion scope. This issue is fixed in versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12. | |
| Title | Symfony: SQL Injection in PdoAdapter::doClear() via Unsanitized $prefix | |
| Weaknesses | CWE-89 | |
| References |
|
|
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T19:14:47.342Z
Reserved: 2026-05-08T18:45:10.096Z
Link: CVE-2026-45073
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Debian DSA
Github GHSA