Package impact
Packagist / symfony/html-sanitizer
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-45064 | medium | — | 5.5 | 9d ago | Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing | |
| CVE-2026-45066 | medium | — | 5.5 | 9d ago | Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification | |
| CVE-2026-45753 | unknown | — | — | 9d ago | Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) |