Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for html-sanitizer by symfony

    CVE-2026-48761 (GCVE-0-2026-48761)

    Vulnerability from nvd – Published: 2026-07-14 19:21 – Updated: 2026-07-14 19:21
    VLAI
    Title
    Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes() omitted URL-bearing attributes on <object>, <applet>, <iframe>, and <img>, and <meta http-equiv="refresh"> URLs inside content bypassed URL sanitization, allowing explicitly enabled elements or attributes to pass javascript: and similar payloads into sanitized output. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-1023 - Incomplete Comparison with Missing Factors
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes() omitted URL-bearing attributes on \u003cobject\u003e, \u003capplet\u003e, \u003ciframe\u003e, and \u003cimg\u003e, and \u003cmeta http-equiv=\"refresh\"\u003e URLs inside content bypassed URL sanitization, allowing explicitly enabled elements or attributes to pass javascript: and similar payloads into sanitized output. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1023",
                  "description": "CWE-1023: Incomplete Comparison with Missing Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T19:21:26.582Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-x5qj-865h-mgvm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x5qj-865h-mgvm"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.41",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.13"
            }
          ],
          "source": {
            "advisory": "GHSA-x5qj-865h-mgvm",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003cobject\u003e, \u003capplet\u003e, \u003ciframe\u003e, \u003cimg\u003e and the URL Inside \u003cmeta http-equiv=\"refresh\"\u003e content"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48761",
        "datePublished": "2026-07-14T19:21:26.582Z",
        "dateReserved": "2026-05-22T19:39:05.356Z",
        "dateUpdated": "2026-07-14T19:21:26.582Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48760 (GCVE-0-2026-48760)

    Vulnerability from nvd – Published: 2026-07-14 19:11 – Updated: 2026-07-15 14:36
    VLAI
    Title
    Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    • CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:35:52.904845Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:36:03.339Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1007",
                  "description": "CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T19:11:42.179Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-v3wm-qf9p-c549",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-v3wm-qf9p-c549"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.41",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.13"
            }
          ],
          "source": {
            "advisory": "GHSA-v3wm-qf9p-c549",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48760",
        "datePublished": "2026-07-14T19:11:42.179Z",
        "dateReserved": "2026-05-22T19:39:05.356Z",
        "dateUpdated": "2026-07-15T14:36:03.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45753 (GCVE-0-2026-45753)

    Vulnerability from nvd – Published: 2026-07-14 18:21 – Updated: 2026-07-14 18:39
    VLAI
    Title
    Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascript: URI Survives Sanitization (XSS)
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes() omits URL-valued attributes including action, formaction, poster, and cite, so configurations that admit those attributes can leave javascript: URIs unsanitized and enable XSS when the resulting HTML is rendered or a victim submits a form or clicks a button. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-184 - Incomplete List of Disallowed Inputs
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45753",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T18:39:22.688923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T18:39:28.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes() omits URL-valued attributes including action, formaction, poster, and cite, so configurations that admit those attributes can leave javascript: URIs unsanitized and enable XSS when the resulting HTML is rendered or a victim submits a form or clicks a button. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:22:04.767Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/487728e7e180a674a6d4c01bd0cb56161cc441b7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/487728e7e180a674a6d4c01bd0cb56161cc441b7"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-hhg7-c65m-h7ff",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite \u2014 javascript: URI Survives Sanitization (XSS)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45753",
        "datePublished": "2026-07-14T18:21:13.644Z",
        "dateReserved": "2026-05-13T06:54:34.221Z",
        "dateUpdated": "2026-07-14T18:39:28.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45064 (GCVE-0-2026-45064)

    Vulnerability from nvd – Published: 2026-07-14 18:35 – Updated: 2026-07-14 18:35
    VLAI
    Title
    Symfony: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    • CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1007",
                  "description": "CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:35:53.530Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-h5vq-qfcg-4m6p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-h5vq-qfcg-4m6p"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-h5vq-qfcg-4m6p",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45064",
        "datePublished": "2026-07-14T18:35:53.530Z",
        "dateReserved": "2026-05-08T18:45:10.095Z",
        "dateUpdated": "2026-07-14T18:35:53.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45066 (GCVE-0-2026-45066)

    Vulnerability from nvd – Published: 2026-07-14 17:53 – Updated: 2026-07-14 17:53
    VLAI
    Title
    Symfony: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because <area href> is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
    CWE
    • CWE-184 - Incomplete List of Disallowed Inputs
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because \u003carea href\u003e is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:53:49.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-qc95-4862-92fh",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and \u003carea\u003e Misclassification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45066",
        "datePublished": "2026-07-14T17:53:49.836Z",
        "dateReserved": "2026-05-08T18:45:10.096Z",
        "dateUpdated": "2026-07-14T17:53:49.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48761 (GCVE-0-2026-48761)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:21 – Updated: 2026-07-14 19:21
    VLAI
    Title
    Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes() omitted URL-bearing attributes on <object>, <applet>, <iframe>, and <img>, and <meta http-equiv="refresh"> URLs inside content bypassed URL sanitization, allowing explicitly enabled elements or attributes to pass javascript: and similar payloads into sanitized output. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-1023 - Incomplete Comparison with Missing Factors
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes() omitted URL-bearing attributes on \u003cobject\u003e, \u003capplet\u003e, \u003ciframe\u003e, and \u003cimg\u003e, and \u003cmeta http-equiv=\"refresh\"\u003e URLs inside content bypassed URL sanitization, allowing explicitly enabled elements or attributes to pass javascript: and similar payloads into sanitized output. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1023",
                  "description": "CWE-1023: Incomplete Comparison with Missing Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T19:21:26.582Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-x5qj-865h-mgvm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x5qj-865h-mgvm"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.41",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.13"
            }
          ],
          "source": {
            "advisory": "GHSA-x5qj-865h-mgvm",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003cobject\u003e, \u003capplet\u003e, \u003ciframe\u003e, \u003cimg\u003e and the URL Inside \u003cmeta http-equiv=\"refresh\"\u003e content"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48761",
        "datePublished": "2026-07-14T19:21:26.582Z",
        "dateReserved": "2026-05-22T19:39:05.356Z",
        "dateUpdated": "2026-07-14T19:21:26.582Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-48760 (GCVE-0-2026-48760)

    Vulnerability from cvelistv5 – Published: 2026-07-14 19:11 – Updated: 2026-07-15 14:36
    VLAI
    Title
    Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    • CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0, < 6.4.41
    Affected: >= 7.0.0-BETA1, < 7.4.13
    Affected: >= 8.0.0-BETA1, < 8.0.13
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-48760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T14:35:52.904845Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T14:36:03.339Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0, \u003c 6.4.41"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.13"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1007",
                  "description": "CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T19:11:42.179Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-v3wm-qf9p-c549",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-v3wm-qf9p-c549"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.41",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.13",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.13"
            }
          ],
          "source": {
            "advisory": "GHSA-v3wm-qf9p-c549",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-48760",
        "datePublished": "2026-07-14T19:11:42.179Z",
        "dateReserved": "2026-05-22T19:39:05.356Z",
        "dateUpdated": "2026-07-15T14:36:03.339Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45064 (GCVE-0-2026-45064)

    Vulnerability from cvelistv5 – Published: 2026-07-14 18:35 – Updated: 2026-07-14 18:35
    VLAI
    Title
    Symfony: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
    CWE
    • CWE-451 - User Interface (UI) Misrepresentation of Critical Information
    • CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-451",
                  "description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1007",
                  "description": "CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:35:53.530Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-h5vq-qfcg-4m6p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-h5vq-qfcg-4m6p"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-h5vq-qfcg-4m6p",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters \u2192 Visual href Spoofing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45064",
        "datePublished": "2026-07-14T18:35:53.530Z",
        "dateReserved": "2026-05-08T18:45:10.095Z",
        "dateUpdated": "2026-07-14T18:35:53.530Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45753 (GCVE-0-2026-45753)

    Vulnerability from cvelistv5 – Published: 2026-07-14 18:21 – Updated: 2026-07-14 18:39
    VLAI
    Title
    Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascript: URI Survives Sanitization (XSS)
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes() omits URL-valued attributes including action, formaction, poster, and cite, so configurations that admit those attributes can leave javascript: URIs unsanitized and enable XSS when the resulting HTML is rendered or a victim submits a form or clicks a button. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-184 - Incomplete List of Disallowed Inputs
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45753",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-14T18:39:22.688923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-14T18:39:28.564Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes() omits URL-valued attributes including action, formaction, poster, and cite, so configurations that admit those attributes can leave javascript: URIs unsanitized and enable XSS when the resulting HTML is rendered or a victim submits a form or clicks a button. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T18:22:04.767Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-hhg7-c65m-h7ff"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/487728e7e180a674a6d4c01bd0cb56161cc441b7",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/487728e7e180a674a6d4c01bd0cb56161cc441b7"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-hhg7-c65m-h7ff",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite \u2014 javascript: URI Survives Sanitization (XSS)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45753",
        "datePublished": "2026-07-14T18:21:13.644Z",
        "dateReserved": "2026-05-13T06:54:34.221Z",
        "dateUpdated": "2026-07-14T18:39:28.564Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45066 (GCVE-0-2026-45066)

    Vulnerability from cvelistv5 – Published: 2026-07-14 17:53 – Updated: 2026-07-14 17:53
    VLAI
    Title
    Symfony: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
    Summary
    Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because <area href> is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
    CWE
    • CWE-184 - Incomplete List of Disallowed Inputs
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    symfony symfony Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    symfony html-sanitizer Affected: >= 6.1.0-BETA1, < 6.4.40
    Affected: >= 7.0.0-BETA1, < 7.4.12
    Affected: >= 8.0.0-BETA1, < 8.0.12
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "symfony",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            },
            {
              "product": "html-sanitizer",
              "vendor": "symfony",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 6.1.0-BETA1, \u003c 6.4.40"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.0.0-BETA1, \u003c 7.4.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 8.0.0-BETA1, \u003c 8.0.12"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because \u003carea href\u003e is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-14T17:53:49.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v6.4.40",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v7.4.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v8.0.12",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
            }
          ],
          "source": {
            "advisory": "GHSA-qc95-4862-92fh",
            "discovery": "UNKNOWN"
          },
          "title": "Symfony: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and \u003carea\u003e Misclassification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45066",
        "datePublished": "2026-07-14T17:53:49.836Z",
        "dateReserved": "2026-05-08T18:45:10.096Z",
        "dateUpdated": "2026-07-14T17:53:49.836Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }