Security Advisories - PKSA-dwsq-ppd2-mb1x - Packagist.org

PKSA-dwsq-ppd2-mb1x Security Advisory

CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode payload decodes to ASCII-only: insecure equivalence

PKSA-dwsq-ppd2-mb1x CVE-2026-46644

Affected package: symfony/polyfill-intl-idn

Affected version: >=1.17.1,<1.38.1

Reported by:
FriendsOfPHP/security-advisories