XSS Vulnerability in Symfony PHP Framework Affecting Multiple Versions
CVE-2026-45753
What is CVE-2026-45753?
A security flaw in the Symfony PHP framework allows for Cross-Site Scripting (XSS) attacks due to the improper sanitization of URL-valued attributes in specific configurations. The affected versions 6.1.0-BETA1 up to 6.4.39, along with 7.4.0 to 7.4.11, and 8.0.0 to 8.0.11, fail to properly handle attributes like action and formaction in forms, resulting in potential exposure to javascript: URIs that can execute unauthorized scripts when users interact with the resulting HTML. This vulnerability has been addressed in subsequent releases, enhancing the framework's security posture.
Affected Version(s)
html-sanitizer >= 6.1.0-BETA1, < 6.4.40 < 6.1.0-BETA1, 6.4.40
html-sanitizer >= 7.0.0-BETA1, < 7.4.12 < 7.0.0-BETA1, 7.4.12
html-sanitizer >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
