Drupal core-recommended pins vulnerable symfony/polyfill-intl-idn version affected by CVE-2026-46644

Affects 11.x and main also - no composer update possible without changing the composer.json

Confirming this also affects 11.3.10 (latest stable). Any attempt to require symfony/polyfill-intl-idn:^1.38.1 is rejected because drupal/core-recommended 11.3.10 pins ~v1.37.0. For anyone needing an immediate workaround while waiting for the next core release, this works:

1. In composer.json, replace "drupal/core-recommended": "~11.3.1" by "drupal/core": "~11.3.1" (11.3 is my need, adapt it)
2. Add "symfony/polyfill-intl-idn": "^1.38.1" to the root requires.
3. Run composer update drupal/core symfony/polyfill-intl-idn -W

Moving this to main for now.

Because Symfony doesn't release all components (no release if no code changed), this can result in some components that haven't been updated in a while, suddenly getting a security release with a minor bump. It feels like this could potentially happen more and more.

I ran composer require "symfony/polyfill-intl-idn:1.38.1 as 1.37.0" for the workaround, which I'll have to remove manually again when Drupal core has a new release, I'm just wondering if this does happen more and more. Hopefully not, but I worry about it with more AI-found security releases in older dependencies or things that haven't been updated in a while and those maintainers not being able to release patch versions.

MR against main https://git.drupalcode.org/project/drupal/-/merge_requests/15879 is passing.

I also tested cherry-picking to 11.x, 11.4.x, 11.3.x, and 10.6.x, and it seemed to work fine.

I wanted to spin up a new Drupal install and got the same issue

PKSA-dwsq-ppd2-mb1x is blocking it. https://symfony.com/blog/cve-2026-46644-insecure-equivalence-in-symfony-...

Enabling the native `intl` extension on your infrastructure will successfully bypass the vulnerable polyfill code at runtime as polyfill checks for it first.

Placing the following as a temporary work around worked for me, including within a DDEV project using the ddev-drupal-contrib add-on:

  "require-dev": {
    "symfony/polyfill-intl-idn": "1.38.1 as 1.37.0"
  }

Does this mean that anyone hoping to update for SA-CORE-2026-004 is going run into a hurdle for the time being?

You can disable composer security block temporarily using either an ENV or command line option: https://getcomposer.org/doc/03-cli.md#composer-no-blocking

Alternatively, you can add entries to config.policy.advisories in composer.json: https://getcomposer.org/doc/06-config.md#block

Hid https://git.drupalcode.org/project/drupal/-/merge_requests/15877 because the tests weren't passing and it was targeted against 10.6.x.

You can also add this to config section of composer.json

"audit": {
    "ignore": ["PKSA-dwsq-ppd2-mb1x"]
}

Tested the MR plus cherry-picks to all the branches mentioned in #10.

composer install and composer audit lead to the desired result.

#7 worked for me. Thank you!

Given the timing of this with the recent Drupal core security release, should the community expect an immediate follow-up release, or will that arrive during the next scheduled security window?

Related Symfony issue: https://github.com/symfony/polyfill/issues/621

Opened https://github.com/symfony/polyfill/issues/621 upstream. Even if it's only us that ran into this problem, still feels unnecessary.

Committed/pushed to main, 11.x, 11.4.x, 11.3.x, 11.2.x, 10.6.x and 10.5.x, thanks!

Please issue a new release as many will not know exactly what is happening and may end up being confused about what is the best approach to use.

Going to add the two workarounds to the summary. Basically, if your workflow is hard-blocked on this issue (which is likely not exploitable in core), best to use one of the workarounds until a new core release is tagged. However. if you're not hard-blocked in your workflow, you can evaluate the CVE itself, potentially ignore your security scanner output, and choose to just wait for the next core patch release.

Bumping to critical retroactively on account of the fact that this is interfering with the Drupal CMS installer.

Adding missing quote at the end of composer require "symfony/polyfill-intl-idn:1.38.1 as 1.37.0" workaround in Issue Summary.

Will deleting the line and updating to Drupal core (10.6.10?) take care of reverting it, when the time comes? I tried deleting the line in composer.json, and running composer update --lock but it did nothing.

There are also security updates for symfony/routing and symfony/http-foundation.

When do you plan the release of the fixed Drupal version? We would like to update Drupal and symfony at once...

twig need update too ..
| Package | twig/twig |
| Severity | |
| Advisory ID | PKSA-fbvq-z33h-r2np |
| CVE | CVE-2026-48808 |
| Title | Sandbox property allowlist bypass via the `column` filter under |
| | `SourcePolicyInterface` |
| URL | https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypas... |
| | e-column-filter-under-sourcepolicyinterface |
| Affected versions | >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0 |
| Reported at | 2026-05-27T15:00:00+00:00

It's already fixed in dev.

The problem is also on the Drupal 11.3.x branch and by launching
composer require drupal/core-recommended:11.3.10 drupal/core-composer-scaffold:11.3.10 drupal/core-project-message:11.3.10 --update-with-all-dependencies

the result is this:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires drupal/core-recommended 11.3.10 -> satisfiable by drupal/core-recommended[11.3.10].
    - drupal/core-recommended 11.3.10 requires symfony/polyfill-intl-idn ~v1.37.0 -> found symfony/polyfill-intl-idn[v1.37.0] but these were not loaded, because they are affected by security advisories ("PKSA-dwsq-ppd2-mb1x"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.

I reiterate: it's fixed in dev.