CVE-2026-45753

Source
https://cve.org/CVERecord?id=CVE-2026-45753
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45753.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45753
Aliases
Downstream
Published
2026-07-14T18:21:13.644Z
Modified
2026-07-15T02:20:37.581914690Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascript: URI Survives Sanitization (XSS)
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes() omits URL-valued attributes including action, formaction, poster, and cite, so configurations that admit those attributes can leave javascript: URIs unsanitized and enable XSS when the resulting HTML is rendered or a victim submits a form or clicks a button. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45753.json",
    "cwe_ids": [
        "CWE-184",
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "6.1.0-BETA1"
        },
        {
            "fixed": "6.4.40"
        },
        {
            "introduced": "7.0.0-BETA1"
        },
        {
            "fixed": "7.4.12"
        },
        {
            "introduced": "8.0.0-BETA1"
        },
        {
            "fixed": "8.0.12"
        }
    ]
}

Affected versions

v6.*
v6.1.0-BETA1
v6.1.0-BETA2
v6.1.0-RC1
v6.2.0-BETA1
v6.2.0-BETA2
v6.2.0-BETA3
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.4.0
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.17
v6.4.18
v6.4.19
v6.4.2
v6.4.20
v6.4.21
v6.4.22
v6.4.23
v6.4.24
v6.4.25
v6.4.26
v6.4.27
v6.4.28
v6.4.29
v6.4.3
v6.4.30
v6.4.31
v6.4.32
v6.4.33
v6.4.34
v6.4.35
v6.4.36
v6.4.37
v6.4.38
v6.4.39
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v7.*
v7.0.0-BETA1
v7.0.0-BETA2
v7.0.0-BETA3
v7.0.0-RC1
v7.1.0-BETA1
v7.1.0-RC1
v7.2.0-BETA1
v7.2.0-BETA2
v7.2.0-RC1
v7.3.0-BETA1
v7.3.0-BETA2
v7.3.0-RC1
v7.4.0
v7.4.0-BETA1
v7.4.0-BETA2
v7.4.0-RC1
v7.4.0-RC2
v7.4.0-RC3
v7.4.1
v7.4.10
v7.4.11
v7.4.2
v7.4.3
v7.4.4
v7.4.5
v7.4.6
v7.4.7
v7.4.8
v7.4.9
v8.*
v8.0.0
v8.0.0-BETA1
v8.0.0-BETA2
v8.0.0-RC1
v8.0.0-RC2
v8.0.0-RC3
v8.0.1
v8.0.10
v8.0.11
v8.0.2
v8.0.3
v8.0.4
v8.0.5
v8.0.6
v8.0.7
v8.0.8
v8.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45753.json"