Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse rejects URLs containing raw Unicode explicit-direction BiDi formatting characters U+202A–U+202E, U+2066–U+2069 as a defense against visual-spoofing of the rendered href. The check covers only the raw UTF-8 forms of thos...

Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Description Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse used by UrlSanitizer::sanitize and therefore by every HtmlSanitizer config that allows links or media accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E LRE / RLE / PDF / LRO ...

Improper Encoding or Escaping of Output

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the HtmlSanitizer component that fails to properly detect and strip percent-encoded BiDi...

Astra Linux - уязвимость в fribidi

A segmentation fault flaw was detected in the Fribidi package, affecting the fribidiremovebidimarks function in the lib/fribidi.c file. This flaw allows an attacker to submit a specially crafted file to Fribidi, resulting in a crash and causing a denial of service...

CVE-2026-27001

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory workspace path into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters for example...

MiracleLinux 8 : rust-toolset:rhel8 (AXSA:2022-2990:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-2990:01 advisory. Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were introduced ...

MiracleLinux 8 : gcc-toolset-11-annobin-9.85-1.el8.1, gcc-toolset-11-binutils-2.36.1-1.el8.1, gcc-toolset-11-gcc-11.2.1-1.2.el8 (AXSA:2021-2882:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2882:01 advisory. Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were introduced ...

EUVD-2025-139173

Malicious code in nuyar-adar-bidu npm...

JLSEC-2025-172 A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bid...

A segmentation fault SEGV flaw was found in the Fribidi package and affects the fribidiremovebidimarks function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service...

Druid_task1 (=0.1.0), audio-processor-analysis (>=0.1.0-alpha.4 <=2.4.0) +72 more potentially affected by unknown CVE via unic-bidi (>=0.1.0 <=0.9.0)

unic-bidi CARGO version =0.1.0, =0.1.0-alpha.4, =0.4.0, =0.7.0, =0.4.0, =0.7.0, =0.2.0, =0.2.3 - frui =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0096...

CuPs (>=0.0.0 <=0.0.5), Druid_task1 (=0.1.0) +94 more potentially affected by unknown CVE via unic-ucd-bidi (>=0.1.1 <=0.9.0)

unic-ucd-bidi CARGO version =0.1.1, =0.0.0, =1.11.3, =0.3.0, =0.1.0-alpha.4, =0.3.0, =0.4.0, =0.2.4-beta, =0.7.0, =0.4.0, =0.5.1 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2025-0083...

RUSTSEC-2025-0083 `unic-ucd-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - icuproperties...

`unic-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...

RUSTSEC-2025-0096 `unic-bidi` is unmaintained

All Unicode crates that are part of https://github.com/open-i18n/rust-unic are unmaintained. Recommended alternatives - unicode-bidi...

EUVD-2011-2606

Malware in sbrugna...

Malicious code in bidi-utils (npm)

The package bidi-utils was found to contain malicious code...

MAL-2025-15669 Malicious code in bidi-utils (npm)

The package bidi-utils was found to contain malicious code...

CVE-2011-2623

Unspecified vulnerability in the SVG BiDi implementation in Opera before 11.50 allows remote attackers to cause a denial of service application crash or hang via unknown vectors...

BD FACSChorus Security Breach

BD FACSChorus is a multichannel flow cytometry system from Bidi Medical BD. A security vulnerability exists in the BD FACSChorus that stems from being configured to allow the transmission of hashed user credentials based on a user action without fully verifying the identity of the requested...

Rocky Linux 8 : annobin (RLSA-2021:4593)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2021:4593 advisory. - DISPUTED An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via...