Web Application Vulnerability in Symfony PHP Framework
CVE-2026-48760

5.3MEDIUM

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-48760?

An issue in the Symfony PHP framework allows the parsing function to incorrectly handle certain URL inputs. Specifically, it fails to reject percent-encoded forms of raw BiDi formatting characters. This allows attackers to create URLs that visually mislead users by including undetectable characters, leading to potential phishing schemes or data exposure. The issue has been resolved in subsequent versions, ensuring improved sanitization and user protection.

Affected Version(s)

html-sanitizer >= 6.1.0, < 6.4.41 < 6.1.0, 6.4.41

html-sanitizer >= 7.0.0-BETA1, < 7.4.13 < 7.0.0-BETA1, 7.4.13

html-sanitizer >= 8.0.0-BETA1, < 8.0.13 < 8.0.0-BETA1, 8.0.13

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.