XML Entity Expansion Vulnerability in Symfony PHP Framework
CVE-2026-45071

8.7HIGH

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45071?

The Symfony PHP framework has a vulnerability in its Crawler component due to improper handling of XML content. Specifically, prior to versions 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the method Crawler::addXmlContent() enabled DOMDocument::$validateOnParse, allowing for external entity resolution. This creates a risk where attackers can exploit this behavior to load unintended local files through crafted XML payloads. Users of affected versions are advised to update to the latest releases to mitigate this risk.

Affected Version(s)

dom-crawler < 5.4.52 < 5.4.52

dom-crawler >= 6.0.0-BETA1, < 6.4.40 < 6.0.0-BETA1, 6.4.40

dom-crawler >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.