symfony/symfony is vulnerable to remote code execution. When an instance of TagAwareAdapter is deserialized, Symfony executes callables stored in privates properties in order to invalidates tags. When the instance has been created by unserializing an external payload, those properties are not checked, which leads to a remote code execution.