Vulnerability DatabaseCVE-2024-51736
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-51736
Published:November 06, 2024
Updated:May 07, 2026
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Related Resources (7)
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml
https://symfony.com/cve-2024-51736
https://nvd.nist.gov/vuln/detail/CVE-2024-51736
https://github.com/symfony/symfony
https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q
https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml
Do you need more information?
Contact Us
Weakness Type (CWE)
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-77
EPSS
Base Score:
0.78