Lucene search
+L

109 matches found

CVE
CVE
added 3 days ago22 views

CVE-2026-48760

Symfony HtmlSanitizer/UrlSanitizer::parse() had an underinclusive denial for BiDi formatting characters and Unicode whitespace, allowing percent-encoded BiDi marks to bypass the check. The issue affects UrlSanitizer::parse() behavior from Symfony 6.1.0 up to 6.4.41, 7.4.13, and 8.0.13, where raw ...

6.1CVSS6.1AI score0.00262EPSS
Exploits0References5Affected Software1
OSV
OSV
added 3 days ago3 views

CVE-2026-48760 Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs...

5.3CVSS6.1AI score0.00262EPSS
Exploits0References7
CVE
CVE
added 3 days ago26 views

CVE-2026-45064

CVE-2026-45064 (Symfony) affects the UrlSanitizer::parse() path used by Symfony HtmlSanitizer/UrlSanitizer. From versions 6.1.0-BETA1 up to 6.4.40, 7.4.12, and 8.0.12, Unicode explicit-direction BiDi formatting characters were passed through into sanitized href/src attributes, enabling phishing-s...

6.1CVSS6.1AI score0.00293EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:32 p.m.9 views

Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse rejects URLs containing raw Unicode explicit-direction BiDi formatting characters U+202A–U+202E, U+2066–U+2069 as a defense against visual-spoofing of the rendered href. The check covers only the raw UTF-8 forms of thos...

6.1CVSS5.4AI score0.00262EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/27 8:4 p.m.12 views

Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...

6.1CVSS5.9AI score0.00293EPSS
Exploits0References6Affected Software2
Snyk
Snyk
added 2026/05/27 9:41 a.m.13 views

Improper Encoding or Escaping of Output

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the HtmlSanitizer component that fails to properly detect and strip percent-encoded BiDi...

6.1CVSS5.8AI score0.00262EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in Fribidi

A segmentation fault flaw was discovered in the Fribidi package, affecting the fribidiremovebidimarks function in the lib/fribidi.c file. This flaw allows an attacker to submit a specially crafted file to Fribidi, resulting in a crash and causing a denial of service...

5.5CVSS6.7AI score0.00454EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/02/21 1:28 a.m.4 views

CVE-2026-27001

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory workspace path into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters for example...

8.6CVSS5.5AI score0.00205EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.5 views

MiracleLinux 8 : rust-toolset:rhel8 (AXSA:2022-2990:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-2990:01 advisory. Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were introduced ...

8.3CVSS5.8AI score0.12205EPSS
Exploits4References2
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.4 views

MiracleLinux 8 : gcc-toolset-11-annobin-9.85-1.el8.1, gcc-toolset-11-binutils-2.36.1-1.el8.1, gcc-toolset-11-gcc-11.2.1-1.2.el8 (AXSA:2021-2882:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2882:01 advisory. Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were introduced ...

8.3CVSS5.7AI score0.12205EPSS
Exploits4References2
EUVD
EUVD
added 2025/11/12 7:18 p.m.2 views

EUVD-2025-139173

Malicious code in nuyar-adar-bidu npm...

6.6AI score
Exploits0
OSV
OSV
added 2025/10/20 10:55 p.m.4 views

JLSEC-2025-172 A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bid...

A segmentation fault SEGV flaw was found in the Fribidi package and affects the fribidiremovebidimarks function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service...

5.5CVSS6.5AI score0.00454EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2025/10/18 12:0 p.m.7 views

CuPs (>=0.0.0 <=0.0.5), Druid_task1 (=0.1.0) +94 more potentially affected by unknown CVE via unic-ucd-bidi (>=0.1.1 <=0.9.0)

unic-ucd-bidi CARGO version =0.1.1, =0.0.0, =1.11.3, =0.3.0, =0.1.0-alpha.4, =0.3.0, =0.4.0, =0.2.4-beta, =0.7.0, =0.4.0, =0.5.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0083...

5.8AI score
Exploits0
vulnersOsv
vulnersOsv
added 2025/10/18 12:0 p.m.8 views

Druid_task1 (=0.1.0), audio-processor-analysis (>=0.1.0-alpha.4 <=2.4.0) +72 more potentially affected by unknown CVE via unic-bidi (>=0.1.0 <=0.9.0)

unic-bidi CARGO version =0.1.0, =0.1.0-alpha.4, =0.4.0, =0.7.0, =0.4.0, =0.7.0, =0.2.0, =0.2.3 - frui =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0096...

5.8AI score
Exploits0
OSV
OSV
added 2025/10/18 12:0 p.m.5 views

RUSTSEC-2025-0083 `unic-ucd-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

7AI score
Exploits0References3
OSV
OSV
added 2025/10/18 12:0 p.m.7 views

RUSTSEC-2025-0096 `unic-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...

7AI score
Exploits0References3
RustSec
RustSec
added 2025/10/18 12:0 p.m.8 views

`unic-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...

7AI score
Exploits0
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2011-2606

Malware in sbrugna...

5CVSS6.1AI score0.02215EPSS
Exploits1References6
OSV
OSV
added 2025/08/14 6:52 p.m.3 views

MAL-2025-15669 Malicious code in bidi-utils (npm)

The package bidi-utils was found to contain malicious code...

7.2AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/08/14 6:52 p.m.4 views

Malicious code in bidi-utils (npm)

The package bidi-utils was found to contain malicious code...

7AI score
Exploits0
Rows per page
Query Builder