CVE-2026-24739

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24739
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24739.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-24739
Aliases
Related
Published
2026-01-28T20:25:21.500Z
Modified
2026-02-16T10:30:20.168115Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructive file operations
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably =) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. rmdir, del, etc.) with a path argument containing =, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing = (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via MSYS2_ARG_CONV_EXCL), understanding this may affect other tooling behavior.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24739.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-88"
    ]
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c5a2ee30e4049191b75cfdc16a0fc1eaeab9945a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.4.51"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
228a275ddcc1a4301fc8865945c0686b56658135
Fixed
f37cdc28f7efb22854981eb030d921fac174cb1a
Database specific 
{
    "versions": [
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.4.33"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
5babe8da13d379288ec141f9b5e325a1a6c39611
Fixed
452f1a3106c17a971672c43f6300cc12c99dad93
Database specific 
{
    "versions": [
        {
            "introduced": "7.3.0"
        },
        {
            "fixed": "7.3.11"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
25f2d564c9b8e93f1bfc1afa59c373e0409b599c
Fixed
f8669eb687795e4d501ec529c23371c8c239a2ef
Database specific 
{
    "versions": [
        {
            "introduced": "7.4.0"
        },
        {
            "fixed": "7.4.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
2e913a829cfbbf9cb38b321bdff1806b44b192eb
Fixed
93779efb243a5aede1d7a720a44f6dd303d96944
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.5"
        }
    ]
}

Affected versions

v2.*
v2.0.0
v2.0.0-RC1
v2.0.0-RC2
v2.0.0-RC3
v2.0.0-RC4
v2.0.0-RC5
v2.0.0-RC6
v2.0.0BETA1
v2.0.0BETA2
v2.0.0BETA3
v2.0.0BETA4
v2.0.0BETA5
v2.0.0PR8
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.0-BETA1
v2.1.0-BETA2
v2.1.0-BETA3
v2.1.0-BETA4
v2.1.0-RC1
v2.1.0-RC2
v2.1.1
v2.1.10
v2.1.11
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.0-BETA1
v2.2.0-BETA2
v2.2.0-RC1
v2.2.0-RC2
v2.2.0-RC3
v2.2.1
v2.2.10
v2.2.11
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3.0
v2.3.0-BETA1
v2.3.0-BETA2
v2.3.0-RC1
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.0-BETA1
v2.4.0-BETA2
v2.4.0-RC1
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.1
v2.5.10
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.1
v2.6.10
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.0-BETA1
v2.7.0-BETA2
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.48
v2.7.49
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.0-BETA1
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.41
v2.8.42
v2.8.43
v2.8.44
v2.8.45
v2.8.46
v2.8.47
v2.8.48
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.1.0
v3.1.0-BETA1
v3.1.0-RC1
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-BETA1
v3.2.0-RC1
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-BETA1
v3.3.0-RC1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.4.0
v3.4.0-BETA1
v3.4.0-BETA2
v3.4.0-BETA3
v3.4.0-BETA4
v3.4.0-RC1
v3.4.0-RC2
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.20
v3.4.21
v3.4.22
v3.4.23
v3.4.24
v3.4.25
v3.4.26
v3.4.27
v3.4.28
v3.4.29
v3.4.3
v3.4.30
v3.4.31
v3.4.32
v3.4.33
v3.4.34
v3.4.35
v3.4.36
v3.4.37
v3.4.38
v3.4.39
v3.4.4
v3.4.40
v3.4.41
v3.4.42
v3.4.43
v3.4.44
v3.4.45
v3.4.46
v3.4.47
v3.4.48
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v4.*
v4.0.0
v4.0.0-BETA1
v4.0.0-BETA2
v4.0.0-BETA3
v4.0.0-BETA4
v4.0.0-RC1
v4.0.0-RC2
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-BETA1
v4.1.0-BETA2
v4.1.0-BETA3
v4.1.1
v4.1.10
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.0-BETA1
v4.2.0-BETA2
v4.2.0-RC1
v4.2.1
v4.2.10
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.0-BETA1
v4.3.0-BETA2
v4.3.0-RC1
v4.3.1
v4.3.10
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.3.9
v4.4.0
v4.4.0-BETA1
v4.4.0-BETA2
v4.4.0-RC1
v4.4.1
v4.4.10
v4.4.11
v4.4.12
v4.4.13
v4.4.14
v4.4.15
v4.4.16
v4.4.17
v4.4.18
v4.4.19
v4.4.2
v4.4.20
v4.4.21
v4.4.22
v4.4.23
v4.4.24
v4.4.25
v4.4.26
v4.4.27
v4.4.28
v4.4.29
v4.4.3
v4.4.30
v4.4.31
v4.4.32
v4.4.33
v4.4.34
v4.4.35
v4.4.36
v4.4.37
v4.4.38
v4.4.39
v4.4.4
v4.4.40
v4.4.41
v4.4.42
v4.4.43
v4.4.44
v4.4.45
v4.4.46
v4.4.47
v4.4.48
v4.4.49
v4.4.5
v4.4.50
v4.4.51
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v5.*
v5.0.0
v5.0.0-BETA1
v5.0.0-BETA2
v5.0.0-RC1
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1.0
v5.1.0-BETA1
v5.1.0-RC1
v5.1.0-RC2
v5.1.1
v5.1.10
v5.1.2
v5.1.3
v5.1.4
v5.1.5
v5.1.6
v5.1.7
v5.1.8
v5.1.9
v5.2.0
v5.2.0-BETA1
v5.2.0-BETA2
v5.2.0-BETA3
v5.2.0-RC1
v5.2.0-RC2
v5.2.1
v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v5.3.0
v5.3.0-BETA1
v5.3.0-BETA2
v5.3.0-BETA3
v5.3.0-BETA4
v5.3.0-RC1
v5.3.1
v5.3.10
v5.3.11
v5.3.12
v5.3.13
v5.3.14
v5.3.15
v5.3.16
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.3.8
v5.3.9
v5.4.0
v5.4.0-BETA1
v5.4.0-BETA2
v5.4.0-BETA3
v5.4.0-RC1
v5.4.1
v5.4.10
v5.4.11
v5.4.12
v5.4.13
v5.4.14
v5.4.15
v5.4.16
v5.4.17
v5.4.18
v5.4.19
v5.4.2
v5.4.20
v5.4.21
v5.4.22
v5.4.23
v5.4.24
v5.4.25
v5.4.26
v5.4.27
v5.4.28
v5.4.29
v5.4.3
v5.4.30
v5.4.31
v5.4.32
v5.4.33
v5.4.34
v5.4.35
v5.4.36
v5.4.37
v5.4.38
v5.4.39
v5.4.4
v5.4.40
v5.4.41
v5.4.42
v5.4.43
v5.4.44
v5.4.45
v5.4.46
v5.4.47
v5.4.48
v5.4.49
v5.4.5
v5.4.50
v5.4.51
v5.4.6
v5.4.7
v5.4.8
v5.4.9
v6.*
v6.3.10
v6.3.11
v6.3.12
v6.3.9
v6.4.0
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.17
v6.4.18
v6.4.19
v6.4.2
v6.4.20
v6.4.21
v6.4.22
v6.4.23
v6.4.24
v6.4.25
v6.4.26
v6.4.27
v6.4.28
v6.4.29
v6.4.3
v6.4.30
v6.4.31
v6.4.32
v6.4.33
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v7.*
v7.2.7
v7.2.8
v7.3.0
v7.3.1
v7.3.10
v7.3.11
v7.3.2
v7.3.3
v7.3.4
v7.3.5
v7.3.6
v7.3.7
v7.3.8
v7.3.9
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
Other
vPR10
vPR11
vPR12
vPR3
vPR4
vPR5
vPR6
vPR8
vPR9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24739.json"