Symfony Polyfill 1.38.1 is a security release addressing CVE-2026-46644, a medium-severity vulnerability in the `symfony/polyfill-intl-idn` package. The IDN polyfill incorrectly accepted invalid `xn--` Punycode labels that PHP's native `ext-intl` rejects, allowing two distinct domain names to canonicalize to the same value — potentially enabling blacklist bypasses, inconsistent URL parsing, and SSRF attacks. Applications using `idn_to_ascii()` or `idn_to_utf8()` without the `intl` extension are affected. The release also includes bug fixes for Mbstring (PHP 8.3/8.4 and 7.4), Grapheme compatibility with PCRE 8, and corrected cURL and MySQL constant definitions.
Sort: