URL Sanitization Vulnerability in Symfony Framework by SensioLabs
CVE-2026-45066
What is CVE-2026-45066?
A vulnerability has been identified in the Symfony PHP framework regarding its URL sanitization process. The issue arises from the interpretation of URL parsing standards, where the HtmlSanitizer's allowLinkHosts() and allowMediaHosts() methods fail to adequately restrict off-allowlist URLs. Specifically, the UrlSanitizer::parse() function adheres to RFC 3986, while modern browsers utilize WHATWG URL parsing rules. This discrepancy can inadvertently allow unauthorized URLs in attributes, compromising the security of applications built on Symfony. The problem has been addressed in updated Symfony versions 6.4.40, 7.4.12, and 8.0.12.
Affected Version(s)
html-sanitizer >= 6.1.0-BETA1, < 6.4.40 < 6.1.0-BETA1, 6.4.40
html-sanitizer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
html-sanitizer >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
