CVE-2026-46644

NameCVE-2026-46644
Descriptioninsecure equivalence in symfony/polyfill-intl-idn for ASCII-only xn-- labels
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-symfony-polyfill (PTS)bullseye1.22.1-1vulnerable
bookworm1.27.0-2vulnerable
forky1.37.0-1vulnerable
sid1.38.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-symfony-polyfillsource(unstable)1.38.1-1

Notes

[bookworm] - php-symfony-polyfill <no-dsa> (Minor issue)
https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-polyfill-intl-idn-for-ascii-only-xn-labels
https://github.com/symfony/polyfill/security/advisories/GHSA-2xf4-cg6j-vhgq
Search for package or bug name: Reporting problems