XSS Vulnerability in Symfony PHP Framework Affecting Multiple Versions
CVE-2026-45753

2.1LOW

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45753?

A security flaw in the Symfony PHP framework allows for Cross-Site Scripting (XSS) attacks due to the improper sanitization of URL-valued attributes in specific configurations. The affected versions 6.1.0-BETA1 up to 6.4.39, along with 7.4.0 to 7.4.11, and 8.0.0 to 8.0.11, fail to properly handle attributes like action and formaction in forms, resulting in potential exposure to javascript: URIs that can execute unauthorized scripts when users interact with the resulting HTML. This vulnerability has been addressed in subsequent releases, enhancing the framework's security posture.

Affected Version(s)

html-sanitizer >= 6.1.0-BETA1, < 6.4.40 < 6.1.0-BETA1, 6.4.40

html-sanitizer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12

html-sanitizer >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.