XML Entity Expansion Vulnerability in Symfony PHP Framework
CVE-2026-45071
8.7HIGH
What is CVE-2026-45071?
The Symfony PHP framework has a vulnerability in its Crawler component due to improper handling of XML content. Specifically, prior to versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the method Crawler::addXmlContent() enabled DOMDocument::$validateOnParse, allowing for external entity resolution. This creates a risk where attackers can exploit this behavior to load unintended local files through crafted XML payloads. Users of affected versions are advised to update to the latest releases to mitigate this risk.
Affected Version(s)
dom-crawler < 5.4.52 < 5.4.52
dom-crawler >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40
dom-crawler >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
