PHP Framework Vulnerability in Symfony Affecting Multiple Versions
CVE-2026-45064

2.3LOW

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45064?

The Symfony PHP framework contains a vulnerability in the UrlSanitizer::parse() method, which incorrectly processes Unicode explicit-direction BiDi formatting characters in href and src attributes. This flaw allows sanitized content to misrepresent the actual link destination, potentially enabling phishing attacks through visual spoofing. The issue affects versions from 6.1.0-BETA1 up to 6.4.40, 7.4.12, and 8.0.12. To address this vulnerability, users are recommended to upgrade to the latest patched versions.

Affected Version(s)

html-sanitizer >= 6.1.0-BETA1, < 6.4.40 < 6.1.0-BETA1, 6.4.40

html-sanitizer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

html-sanitizer >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.