symfony/html-sanitizer Security Advisories for v7.2.0-BETA1 (3)
-
CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
PKSA-4fc7-y875-17k3 CVE-2026-45064
Affected version: >=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12
Reported by:
FriendsOfPHP/security-advisories -
CVE-2026-45066: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
PKSA-jwvg-gphd-brbz CVE-2026-45066
Affected version: >=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12
Reported by:
FriendsOfPHP/security-advisories -
CVE-2026-45753: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite: javascript: URI Survives Sanitization (XSS)
PKSA-q2wy-m7mz-kg58 CVE-2026-45753
Affected version: >=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.40|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.12|>=8.0.0,<8.0.12
Reported by:
FriendsOfPHP/security-advisories