Lucene search
+L

11 matches found

nvd
nvd
added 3 days ago4 views

CVE-2026-48760

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs...

6.1CVSS0.00262EPSS
Exploits0References5
cve
cve
added 3 days ago22 views

CVE-2026-48760

Symfony HtmlSanitizer/UrlSanitizer::parse() had an underinclusive denial for BiDi formatting characters and Unicode whitespace, allowing percent-encoded BiDi marks to bypass the check. The issue affects UrlSanitizer::parse() behavior from Symfony 6.1.0 up to 6.4.41, 7.4.13, and 8.0.13, where raw ...

6.1CVSS6.1AI score0.00262EPSS
Exploits0References5Affected Software1
github
github
added 2026/06/15 5:32 p.m.8 views

Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse rejects URLs containing raw Unicode explicit-direction BiDi formatting characters U+202A–U+202E, U+2066–U+2069 as a defense against visual-spoofing of the rendered href. The check covers only the raw UTF-8 forms of thos...

6.1CVSS5.4AI score0.00262EPSS
Exploits0References6Affected Software2
nessus
nessus
added 2026/06/05 12:0 a.m.8 views

Symfony and Symfony HTML Sanitizer Component 6.1.x < 6.4.40 / 7.0.x < 7.4.12 / 8.0.x 8.0.12 Multiple Vulnerabilities

The version of Symfony and/or the Symfony HTML Sanitizer Component installed on the remote host is prior to 6.1.x prior to 6.4.40, 7.0.x prior to 7.4.12, 8.0.x prior to 8.0.12. and, therefore, affected by multiple vulnerabilities: - A visual spoofing vulnerability exists in Symfony Component...

6.1CVSS5.6AI score0.00293EPSS
Exploits0References6
osv
osv
added 2026/05/27 8:4 p.m.6 views

GHSA-H5VQ-QFCG-4M6P Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...

6.9CVSS5.9AI score0.00293EPSS
Exploits0References6
github
github
added 2026/05/27 8:4 p.m.12 views

Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...

6.1CVSS5.9AI score0.00293EPSS
Exploits0References6Affected Software2
snyk
snyk
added 2026/05/27 9:41 a.m.13 views

Improper Encoding or Escaping of Output

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the HtmlSanitizer component that fails to properly detect and strip percent-encoded BiDi...

6.1CVSS5.8AI score0.00262EPSS
Exploits0References2
euvd
euvd
added 2026/05/25 2:5 p.m.11 views

EUVD-2026-31693

Firefox for iOS displayed specially crafted right-to-left RTL and internationalized domain names IDNs incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This...

5.8AI score0.00199EPSS
Exploits0References2
friendsofphp
friendsofphp
added 1970/01/01 12:0 a.m.11 views

CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

More info at https://symfony.com/cve-2026-45064...

6.1CVSS5.8AI score0.00293EPSS
Exploits0Affected Software1
friendsofphp
friendsofphp
added 1970/01/01 12:0 a.m.9 views

CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

More info at https://symfony.com/cve-2026-48760...

6.1CVSS5.8AI score0.00262EPSS
Exploits0Affected Software1
friendsofphp
friendsofphp
added 1970/01/01 12:0 a.m.8 views

CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

More info at https://symfony.com/cve-2026-48760...

6.1CVSS5.8AI score0.00262EPSS
Exploits0Affected Software1
Rows per page
Query Builder