GHSA-h5vq-qfcg-4m6p

Source

https://github.com/advisories/GHSA-h5vq-qfcg-4m6p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h5vq-qfcg-4m6p

Aliases

CVE-2026-45064

Published

2026-05-27T20:04:22Z

Modified

2026-05-27T20:15:09.470090831Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing

Details

Description

Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse() (used by UrlSanitizer::sanitize() and therefore by every HtmlSanitizer config that allows links or media) accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A–U+202E (LRE / RLE / PDF / LRO / RLO) and U+2066–U+2069 (LRI / RLI / FSI / PDI). These characters are passed through unchanged into the href / src attributes produced by HtmlSanitizer. When the resulting HTML is rendered in a browser, the override characters reverse or alter the visual ordering of the URL text, so the displayed link can differ arbitrarily from the actual destination: a classic visual-spoofing / phishing primitive against viewers of sanitized content.

Resolution

UrlSanitizer::parse() now rejects URLs containing the explicit-direction BiDi formatting code points (U+202A–U+202E, U+2066–U+2069) before invoking the underlying URL parser. As an unrelated companion fix in the same patch, spaces inside path/query/fragment are now percent-encoded rather than rejected outright, while spaces in the scheme/authority remain rejected by the post-encoding whitespace check.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Himanshu Anand for reporting the issue and Nicolas Grekas for providing the fix.

Database specific

{
    "cwe_ids": [
        "CWE-451",
        "CWE-1007"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T20:04:22Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

Packagist

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.4.40

Affected versions

v6.*

v6.1.0

v6.1.9

v6.1.11

v6.2.0-BETA1

v6.2.0-RC1

v6.2.0

v6.2.2

v6.2.5

v6.2.7

v6.3.0-BETA1

v6.3.0-RC1

v6.3.0

v6.3.4

v6.3.7

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-RC1

v6.4.0

v6.4.3

v6.4.4

v6.4.7

v6.4.8

v6.4.12

v6.4.13

v6.4.17

v6.4.18

v6.4.21

v6.4.24

v6.4.25

v6.4.28

v6.4.35

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json"

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.4.12

Affected versions

v7.*

v7.0.0

v7.0.3

v7.0.4

v7.0.7

v7.0.8

v7.1.0-BETA1

v7.1.0-RC1

v7.1.0

v7.1.1

v7.1.5

v7.1.6

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-RC1

v7.2.0

v7.2.2

v7.2.3

v7.2.6

v7.2.9

v7.3.0-BETA1

v7.3.0-RC1

v7.3.0

v7.3.2

v7.3.3

v7.3.6

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0

v7.4.7

v7.4.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json"

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.7

v8.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.4.40

Affected versions

v6.*

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.1.10

v6.1.11

v6.1.12

v6.2.0-BETA1

v6.2.0-BETA2

v6.2.0-BETA3

v6.2.0-RC1

v6.2.0-RC2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.3.0-BETA1

v6.3.0-BETA2

v6.3.0-BETA3

v6.3.0-RC1

v6.3.0-RC2

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.3.10

v6.3.11

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-BETA3

v6.4.0-RC1

v6.4.0-RC2

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.17

v6.4.18

v6.4.19

v6.4.20

v6.4.21

v6.4.22

v6.4.23

v6.4.24

v6.4.25

v6.4.26

v6.4.27

v6.4.28

v6.4.29

v6.4.30

v6.4.31

v6.4.32

v6.4.33

v6.4.34

v6.4.35

v6.4.36

v6.4.37

v6.4.38

v6.4.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.4.12

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.0.10

v7.1.0-BETA1

v7.1.0-RC1

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-BETA2

v7.2.0-RC1

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.5

v7.2.6

v7.2.7

v7.2.8

v7.2.9

v7.3.0-BETA1

v7.3.0-BETA2

v7.3.0-RC1

v7.3.0

v7.3.1

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.6

v7.3.7

v7.3.8

v7.3.9

v7.3.10

v7.3.11

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0-RC2

v7.4.0-RC3

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-h5vq-qfcg-4m6p/GHSA-h5vq-qfcg-4m6p.json"