Web Application Vulnerability in Symfony PHP Framework
CVE-2026-48760
5.3MEDIUM
What is CVE-2026-48760?
An issue in the Symfony PHP framework allows the parsing function to incorrectly handle certain URL inputs. Specifically, it fails to reject percent-encoded forms of raw BiDi formatting characters. This allows attackers to create URLs that visually mislead users by including undetectable characters, leading to potential phishing schemes or data exposure. The issue has been resolved in subsequent versions, ensuring improved sanitization and user protection.
Affected Version(s)
html-sanitizer >= 6.1.0, < 6.4.41 < 6.1.0, 6.4.41
html-sanitizer >= 7.0.0-BETA1, < 7.4.13 < 7.0.0-BETA1, 7.4.13
html-sanitizer >= 8.0.0-BETA1, < 8.0.13 < 8.0.0-BETA1, 8.0.13
