Skip to main content

Symfony HtmlSanitizer CVE-2026-45753

| EUVDEUVD-2026-44344 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-28 https://github.com/symfony/symfony GHSA-hhg7-c65m-h7ff
2.1
CVSS 4.0 · Vendor: https://github.com/symfony/symfony

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 19:22 NVD
2.1 (LOW)
Source Code Evidence Fetched
May 28, 2026 - 17:21 vuln.today
Analysis Generated
May 28, 2026 - 17:21 vuln.today

DescriptionCVE.org

Description

symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is *kept* is decided by the element/attribute allow-list; validating the *scheme* of a URL attribute is solely UrlAttributeSanitizer's responsibility.

UrlAttributeSanitizer::getSupportedAttributes() returned only ['src', 'href', 'lowsrc', 'background', 'ping']. The HTML URL-valued attributes action (<form>), formaction (<button>, <input type=image>), poster (<video>) and cite (<blockquote>, <q>, <del>, <ins>) were missing from that list, so DomVisitor never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a javascript: URI in it survived sanitisation.

Conditions for exploitation

allowSafeElements() is not affected: <form> and the formaction attribute are both flagged unsafe in W3CReference, and allowElement('form') resets the element's attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:

  • <form> + action: allowElement('form', '*'), allowElement('form', ['action', …]), allowElement('form')->allowAttribute('action', 'form'), or the allowStaticElements() preset (whose docblock already warns the output "may still contain other dangerous behaviors");
  • <button> / <input type=image> + formaction: allowElement(…, '*'), allowAttribute('formaction', …), or allowStaticElements();
  • <blockquote> / <q> / <del> / <ins> + cite, or <video> + poster: similarly via '*', allowAttribute(), or allowStaticElements().

For the action / formaction cases the victim must additionally submit the form or click the button.

Resolution

UrlAttributeSanitizer now also handles action, formaction, cite and poster. action / formaction / cite are validated against the link schemes (like <a href>, so javascript: is rejected and data: is dropped too); poster is validated against the media schemes (so data: images keep working). The behaviour of <a href> and <img src> is unchanged.

One behaviour change to be aware of: a relative action="/submit" on an allowed <form> is now dropped by default (the same as <a href> / <img src> today); ->allowRelativeLinks() re-enables it.

The patch for this issue is available here for branch 6.4.

Credits

Symfony would like to thank Himanshu Anand and Rémi Pelloux for reporting the issue and Nicolas Grekas for providing the fix.

AnalysisAI

Stored XSS via bypass in Symfony's HtmlSanitizer component allows javascript: URIs to survive sanitization when applications use permissive configurations that admit action, formaction, poster, or cite attributes. The root cause is an incomplete attribute list in UrlAttributeSanitizer::getSupportedAttributes(), which caused DomVisitor to skip URI scheme validation entirely for those four attribute types. No public exploit identified at time of analysis and no CVSS score has been assigned, but successful exploitation enables JavaScript execution in victims' browsers - with the attack gated behind non-default sanitizer configuration choices made by the integrating application.

Technical ContextAI

The affected code lives in the UrlAttributeSanitizer class within the symfony/html-sanitizer Composer package (also distributed as part of symfony/symfony). This class implements a visitor pattern: DomVisitor iterates over DOM elements and invokes registered visitors only for the attributes they declare via getSupportedAttributes(). UrlAttributeSanitizer was responsible for stripping dangerous schemes such as javascript: and data: from URL-valued attributes, but its supported list was ['src', 'href', 'lowsrc', 'background', 'ping'] - omitting action (used on <form>), formaction (used on <button> and <input type=image>), poster (used on <video>), and cite (used on <blockquote>, <q>, <del>, <ins>). Because DomVisitor never dispatched those attributes to UrlAttributeSanitizer, any javascript: URI placed in them would pass through unmodified if the element/attribute allow-list permitted the attribute. The root cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), specifically a sanitizer bypass variant rather than a missing-sanitization variant. Affected packages are pkg:composer/symfony/html-sanitizer and pkg:composer/symfony/symfony.

RemediationAI

Upgrade to symfony/html-sanitizer 6.4.40, 7.4.12, or 8.0.12 (or the corresponding symfony/symfony release), which extend UrlAttributeSanitizer to cover action, formaction, cite, and poster. The upstream fix is available as commit 26a598fcfc4f903cc55ff202f642ee621839825e at https://github.com/symfony/symfony/commit/26a598fcfc4f903cc55ff202f642ee621839825e. One behavioral side-effect to plan for: after patching, relative action values (e.g., action="/submit") on allowed <form> elements will be dropped by default, consistent with how <a href> and <img src> are already handled; call ->allowRelativeLinks() on the sanitizer builder to restore relative action support if your application requires it. If immediate patching is blocked, the most effective compensating control is to audit sanitizer configurations and remove any explicit allowances for action, formaction, poster, or cite attributes - specifically, replace allowElement('form', '*'), allowAttribute('formaction', ...), and allowStaticElements() usages with narrower allow-lists that exclude these attributes. This trade-off restricts HTML rendering capabilities but eliminates the injection surface until the patch can be applied.

Share

CVE-2026-45753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy