3 matches found
CVE-2026-48760
Symfony HtmlSanitizer/UrlSanitizer::parse() had an underinclusive denial for BiDi formatting characters and Unicode whitespace, allowing percent-encoded BiDi marks to bypass the check. The issue affects UrlSanitizer::parse() behavior from Symfony 6.1.0 up to 6.4.41, 7.4.13, and 8.0.13, where raw ...
CVE-2026-45064
CVE-2026-45064 (Symfony) affects the UrlSanitizer::parse() path used by Symfony HtmlSanitizer/UrlSanitizer. From versions 6.1.0-BETA1 up to 6.4.40, 7.4.12, and 8.0.12, Unicode explicit-direction BiDi formatting characters were passed through into sanitized href/src attributes, enabling phishing-s...
PT-2026-44133
Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.31 Description The parse function in SymfonyComponentHtmlSanitizerTextSanitizerUrlSanitizer utilized by UrlSanitizer::sanitize and any HtmlSanitizer configuration permitting links or media fails to filter Unicode...