109 matches found
CVE-2026-48760
Symfony HtmlSanitizer/UrlSanitizer::parse() had an underinclusive denial for BiDi formatting characters and Unicode whitespace, allowing percent-encoded BiDi marks to bypass the check. The issue affects UrlSanitizer::parse() behavior from Symfony 6.1.0 up to 6.4.41, 7.4.13, and 8.0.13, where raw ...
CVE-2026-48760 Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs...
CVE-2026-45064
CVE-2026-45064 (Symfony) affects the UrlSanitizer::parse() path used by Symfony HtmlSanitizer/UrlSanitizer. From versions 6.1.0-BETA1 up to 6.4.40, 7.4.12, and 8.0.12, Unicode explicit-direction BiDi formatting characters were passed through into sanitized href/src attributes, enabling phishing-s...
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse rejects URLs containing raw Unicode explicit-direction BiDi formatting characters U+202A–U+202E, U+2066–U+2069 as a defense against visual-spoofing of the rendered href. The check covers only the raw UTF-8 forms of thos...
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing
Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...
Improper Encoding or Escaping of Output
Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the HtmlSanitizer component that fails to properly detect and strip percent-encoded BiDi...
Astra Linux – Vulnerability in Fribidi
A segmentation fault flaw was discovered in the Fribidi package, affecting the fribidiremovebidimarks function in the lib/fribidi.c file. This flaw allows an attacker to submit a specially crafted file to Fribidi, resulting in a crash and causing a denial of service...
CVE-2026-27001
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory workspace path into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters for example...
MiracleLinux 8 : rust-toolset:rhel8 (AXSA:2022-2990:01)
The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-2990:01 advisory. Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were introduced ...
MiracleLinux 8 : gcc-toolset-11-annobin-9.85-1.el8.1, gcc-toolset-11-binutils-2.36.1-1.el8.1, gcc-toolset-11-gcc-11.2.1-1.2.el8 (AXSA:2021-2882:01)
The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2882:01 advisory. Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were introduced ...
EUVD-2025-139173
Malicious code in nuyar-adar-bidu npm...
JLSEC-2025-172 A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bid...
A segmentation fault SEGV flaw was found in the Fribidi package and affects the fribidiremovebidimarks function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service...
CuPs (>=0.0.0 <=0.0.5), Druid_task1 (=0.1.0) +94 more potentially affected by unknown CVE via unic-ucd-bidi (>=0.1.1 <=0.9.0)
unic-ucd-bidi CARGO version =0.1.1, =0.0.0, =1.11.3, =0.3.0, =0.1.0-alpha.4, =0.3.0, =0.4.0, =0.2.4-beta, =0.7.0, =0.4.0, =0.5.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0083...
Druid_task1 (=0.1.0), audio-processor-analysis (>=0.1.0-alpha.4 <=2.4.0) +72 more potentially affected by unknown CVE via unic-bidi (>=0.1.0 <=0.9.0)
unic-bidi CARGO version =0.1.0, =0.1.0-alpha.4, =0.4.0, =0.7.0, =0.4.0, =0.7.0, =0.2.0, =0.2.3 - frui =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0096...
RUSTSEC-2025-0083 `unic-ucd-bidi` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...
RUSTSEC-2025-0096 `unic-bidi` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...
`unic-bidi` is unmaintained
All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...
EUVD-2011-2606
Malware in sbrugna...
MAL-2025-15669 Malicious code in bidi-utils (npm)
The package bidi-utils was found to contain malicious code...
Malicious code in bidi-utils (npm)
The package bidi-utils was found to contain malicious code...