URL Sanitization Vulnerability in Symfony Framework by SensioLabs
CVE-2026-45066

2.3LOW

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45066?

A vulnerability has been identified in the Symfony PHP framework regarding its URL sanitization process. The issue arises from the interpretation of URL parsing standards, where the HtmlSanitizer's allowLinkHosts() and allowMediaHosts() methods fail to adequately restrict off-allowlist URLs. Specifically, the UrlSanitizer::parse() function adheres to RFC 3986, while modern browsers utilize WHATWG URL parsing rules. This discrepancy can inadvertently allow unauthorized URLs in attributes, compromising the security of applications built on Symfony. The problem has been addressed in updated Symfony versions 6.4.40, 7.4.12, and 8.0.12.

Affected Version(s)

html-sanitizer >= 6.1.0-BETA1, < 6.4.40 < 6.1.0-BETA1, 6.4.40

html-sanitizer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

html-sanitizer >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.