CVE-2026-45066

Source
https://cve.org/CVERecord?id=CVE-2026-45066
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45066.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45066
Aliases
Downstream
Published
2026-07-14T17:53:49.836Z
Modified
2026-07-15T02:20:21.022520600Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Symfony: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because <area href> is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-184",
        "CWE-436"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45066.json"
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "6.1.0-BETA1"
        },
        {
            "fixed": "6.4.40"
        },
        {
            "introduced": "7.0.0-BETA1"
        },
        {
            "fixed": "7.4.12"
        },
        {
            "introduced": "8.0.0-BETA1"
        },
        {
            "fixed": "8.0.12"
        }
    ]
}

Affected versions

v6.*
v6.1.0-BETA1
v6.1.0-BETA2
v6.1.0-RC1
v6.2.0-BETA1
v6.2.0-BETA2
v6.2.0-BETA3
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.4.0
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.17
v6.4.18
v6.4.19
v6.4.2
v6.4.20
v6.4.21
v6.4.22
v6.4.23
v6.4.24
v6.4.25
v6.4.26
v6.4.27
v6.4.28
v6.4.29
v6.4.3
v6.4.30
v6.4.31
v6.4.32
v6.4.33
v6.4.34
v6.4.35
v6.4.36
v6.4.37
v6.4.38
v6.4.39
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v7.*
v7.0.0-BETA1
v7.0.0-BETA2
v7.0.0-BETA3
v7.0.0-RC1
v7.1.0-BETA1
v7.1.0-RC1
v7.2.0-BETA1
v7.2.0-BETA2
v7.2.0-RC1
v7.3.0-BETA1
v7.3.0-BETA2
v7.3.0-RC1
v7.4.0
v7.4.0-BETA1
v7.4.0-BETA2
v7.4.0-RC1
v7.4.0-RC2
v7.4.0-RC3
v7.4.1
v7.4.10
v7.4.11
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.4.6
v7.4.7
v7.4.8
v7.4.9
v8.*
v8.0.0
v8.0.0-BETA1
v8.0.0-BETA2
v8.0.0-RC1
v8.0.0-RC2
v8.0.0-RC3
v8.0.1
v8.0.10
v8.0.11
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.0.8
v8.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45066.json"