Lucene search
K

3 matches found

OSV
OSV
added 2026/06/15 4:46 p.m.3 views

GHSA-X5QJ-865H-MGVM Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes

Description Symfony\Component\HtmlSanitizer\Visitor\AttributeSanitizer\UrlAttributeSanitizer::getSupportedAttributes enumerates the attribute names whose values are scrubbed through UrlSanitizer::sanitize scheme and host allow-lists, javascript: rejection, BiDi check, etc.. The list is 'src',...

5.3CVSS5.5AI score0.00051EPSS
Exploits0References6
OSV
OSV
added 2026/05/27 8:4 p.m.6 views

GHSA-H5VQ-QFCG-4M6P Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...

6.9CVSS5.9AI score0.00069EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/27 8:4 p.m.12 views

Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...

5.9AI score0.00069EPSS
Exploits0References6Affected Software2
Rows per page
Query Builder