CVE-2026-45066
EUVD-2026-4433914.07.2026, 18:17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because <area href> is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.Enginsight
Awaiting analysis
This vulnerability is currently awaiting analysis.
Debian Releases
Debian Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| symfony |
|
References