Description
Your Symfony web application is using a weak/predictable application secret (APP_SECRET).
An attacker can use this secret to potentially execute arbitrary PHP code using the ESI (Edge-Side Includes) functionality that is accessible at /_fragment.
Remediation
It's recommended to change the Symfony's application secret (APP_SECRET) to a long random string.
References
Related Vulnerabilities
Drupal Core 8.8.x Remote Code Execution (8.8.0 - 8.8.7)
WordPress Plugin WPE Indoshipping Multiple Remote File Inclusion Vulnerabilities (2.5.0)
MongoDB $where operator JavaScript injection
Nginx PHP code execution via FastCGI
WordPress Plugin Groundhogg-Marketing Automation & CRM for WordPress Remote Code Execution (1.3.4)