Arbitrary Argument Injection Affecting drupal-11.3 package, versions <11.3.3-r0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-DRUPAL113-15306246
- published17 Feb 2026
- disclosed28 Jan 2026
Introduced: 28 Jan 2026
CVE-2026-24739 (opens in a new tab)How to fix?
Upgrade Chainguard drupal-11.3 to version 11.3.3-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream drupal-11.3 package and not the drupal-11.3 package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably =) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. rmdir, del, etc.) with a path argument containing =, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one's own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing = (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via MSYS2_ARG_CONV_EXCL), understanding this may affect other tooling behavior.
References
- https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3
- https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b
- https://github.com/symfony/symfony/issues/62921
- https://github.com/symfony/symfony/pull/63164
- https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6