pkg:Packagist/symfony/html-sanitizer
3 total CVEs
✅ Check your installed version
All known vulnerabilities
- —CVE-2026-45066Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification>= 6.1.0, < 6.4.40
- —CVE-2026-45064Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing>= 6.1.0, < 6.4.40
- —CVE-2026-45753Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)>= 6.1.0, < 6.4.40