GHSA-qc95-4862-92fh

Source

https://github.com/advisories/GHSA-qc95-4862-92fh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qc95-4862-92fh

Aliases

CVE-2026-45066

Published

2026-05-27T20:13:04Z

Modified

2026-05-27T20:30:09.066989677Z

Summary

Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification

Details

Description

symfony/html-sanitizer lets applications sanitise untrusted HTML. The configuration methods allowLinkHosts([...]) and allowLinkSchemes([...]) are intended to restrict <a href> targets to an allowlist of hosts/schemes; allowMediaHosts() / allowMediaSchemes() do the same for <img src> etc.

Three distinct bypasses allow a content author to smuggle off-allowlist URLs past these checks. First, UrlSanitizer::parse() parses the input following RFC-3986, while browsers follow the WHATWG URL Standard which normalises \ to / before parsing the authority of "special" schemes; so an input like https://evil\@trusted.com/ parses with host trusted.com server-side but navigates to https://evil/ in the browser. Second, WHATWG collapses any run of / after the scheme into //, while RFC-3986 does not; so https:/evil.com/ and https:///evil.com/ parse as host-less (skipping the host allowlist) but resolve to evil.com in the browser. Third, UrlAttributeSanitizer checks 'a' === $element to route to the link policy and falls through to the media policy otherwise, but <area> is a navigable hyperlink equivalent to <a>; so <area href> was sanitised against the media policy (which typically allows data: and may have no host allowlist), bypassing allowLinkHosts() / allowLinkSchemes() entirely.

Resolution

UrlSanitizer::sanitize() now rejects URLs that contain a backslash or that use a special scheme (http, https, ftp, ws, wss) followed by a single slash or three slashes before parsing, eliminating the parser-differential bypasses. UrlAttributeSanitizer now applies the link policy to both <a> and <area> elements.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Database specific

{
    "cwe_ids": [
        "CWE-184",
        "CWE-436"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-27T20:13:04Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.4.40

Affected versions

v6.*

v6.1.0

v6.1.9

v6.1.11

v6.2.0-BETA1

v6.2.0-RC1

v6.2.0

v6.2.2

v6.2.5

v6.2.7

v6.3.0-BETA1

v6.3.0-RC1

v6.3.0

v6.3.4

v6.3.7

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-RC1

v6.4.0

v6.4.3

v6.4.4

v6.4.7

v6.4.8

v6.4.12

v6.4.13

v6.4.17

v6.4.18

v6.4.21

v6.4.24

v6.4.25

v6.4.28

v6.4.35

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json"

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.4.12

Affected versions

v7.*

v7.0.0

v7.0.3

v7.0.4

v7.0.7

v7.0.8

v7.1.0-BETA1

v7.1.0-RC1

v7.1.0

v7.1.1

v7.1.5

v7.1.6

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-RC1

v7.2.0

v7.2.2

v7.2.3

v7.2.6

v7.2.9

v7.3.0-BETA1

v7.3.0-RC1

v7.3.0

v7.3.2

v7.3.3

v7.3.6

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0

v7.4.7

v7.4.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json"

symfony/html-sanitizer

Package

Name: symfony/html-sanitizer
Purl: pkg:composer/symfony%2Fhtml-sanitizer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.7

v8.0.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.4.40

Affected versions

v6.*

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.1.10

v6.1.11

v6.1.12

v6.2.0-BETA1

v6.2.0-BETA2

v6.2.0-BETA3

v6.2.0-RC1

v6.2.0-RC2

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.2.10

v6.2.11

v6.2.12

v6.2.13

v6.2.14

v6.3.0-BETA1

v6.3.0-BETA2

v6.3.0-BETA3

v6.3.0-RC1

v6.3.0-RC2

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.3.9

v6.3.10

v6.3.11

v6.3.12

v6.4.0-BETA1

v6.4.0-BETA2

v6.4.0-BETA3

v6.4.0-RC1

v6.4.0-RC2

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.16

v6.4.17

v6.4.18

v6.4.19

v6.4.20

v6.4.21

v6.4.22

v6.4.23

v6.4.24

v6.4.25

v6.4.26

v6.4.27

v6.4.28

v6.4.29

v6.4.30

v6.4.31

v6.4.32

v6.4.33

v6.4.34

v6.4.35

v6.4.36

v6.4.37

v6.4.38

v6.4.39

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.4.12

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.0.10

v7.1.0-BETA1

v7.1.0-RC1

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-BETA2

v7.2.0-RC1

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.5

v7.2.6

v7.2.7

v7.2.8

v7.2.9

v7.3.0-BETA1

v7.3.0-BETA2

v7.3.0-RC1

v7.3.0

v7.3.1

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.6

v7.3.7

v7.3.8

v7.3.9

v7.3.10

v7.3.11

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0-RC2

v7.4.0-RC3

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qc95-4862-92fh/GHSA-qc95-4862-92fh.json"