Ghostwire

CVE-2026-45756: Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS

LOW CVSS 2.5 Exploit Available

Published: May 28, 2026 | Last Modified: May 28, 2026

Description

Symfony's JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits — ReDoS

Ghostwire Analysis — What This Means Practically

Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References

github.com/symfony/symfony/security/advisories/GHSA-8v8v-g73j-492j
github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/json-path/CVE-20
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026
symfony.com/cve-2026-45756
github.com/advisories/GHSA-8v8v-g73j-492j
www.tenable.com/cve/CVE-2026-45756
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-45756