Skip to main content

Symfony HtmlSanitizer EUVDEUVD-2026-44348

| CVE-2026-45064 LOW
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-05-27 https://github.com/symfony/symfony GHSA-h5vq-qfcg-4m6p
2.3
CVSS 4.0 · Vendor: https://github.com/symfony/symfony

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/symfony/symfony) · only source for this CVE.

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 19:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
May 27, 2026 - 21:27 vuln.today
Analysis Generated
May 27, 2026 - 21:27 vuln.today

DescriptionCVE.org

Description

Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse() (used by UrlSanitizer::sanitize() and therefore by every HtmlSanitizer config that allows links or media) accepts URLs that contain Unicode explicit-direction BiDi formatting characters: U+202A-U+202E (LRE / RLE / PDF / LRO / RLO) and U+2066-U+2069 (LRI / RLI / FSI / PDI). These characters are passed through unchanged into the href / src attributes produced by HtmlSanitizer. When the resulting HTML is rendered in a browser, the override characters reverse or alter the visual ordering of the URL text, so the displayed link can differ arbitrarily from the actual destination: a classic visual-spoofing / phishing primitive against viewers of sanitized content.

Resolution

UrlSanitizer::parse() now rejects URLs containing the explicit-direction BiDi formatting code points (U+202A-U+202E, U+2066-U+2069) before invoking the underlying URL parser. As an unrelated companion fix in the same patch, spaces inside path/query/fragment are now percent-encoded rather than rejected outright, while spaces in the scheme/authority remain rejected by the post-encoding whitespace check.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Himanshu Anand for reporting the issue and Nicolas Grekas for providing the fix.

AnalysisAI

Symfony HtmlSanitizer's UrlSanitizer::parse() passes Unicode BiDi override characters (U+202A-U+202E, U+2066-U+2069) unchanged into href and src HTML attributes, enabling visual URL spoofing against any application that renders sanitized user-supplied HTML to other users. All HtmlSanitizer configurations that permit links or media elements are affected across symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11, as well as the bundled symfony/symfony 6.1.0-6.4.39. No public exploit has been released and this CVE is not listed in CISA KEV, but the BiDi spoofing technique is a well-documented, low-complexity phishing primitive requiring no authentication on the attacker's side.

Technical ContextAI

The vulnerable code path is Symfony\Component\HtmlSanitizer\TextSanitizer\UrlSanitizer::parse(), called by UrlSanitizer::sanitize() and transitively by every HtmlSanitizer policy that allows anchor href or media src attributes. The method failed to check for Unicode explicit-direction BiDi formatting control characters - U+202A (LRE), U+202B (RLE), U+202C (PDF), U+202D (LRO), U+202E (RLO), U+2066 (LRI), U+2067 (RLI), U+2068 (FSI), and U+2069 (PDI) - before passing the URL to the underlying UriString::parse() parser. Browsers interpret these invisible control characters to reverse or reorder the visual rendering of surrounding text, meaning the URL displayed to a user can be entirely different from the actual href destination. CWE-451 (User Interface Misrepresentation of Critical Information) precisely captures this root cause: the library produces structurally valid HTML that the browser faithfully renders in a misleading way. The affected packages are pkg:composer/symfony/html-sanitizer and pkg:composer/symfony/symfony.

RemediationAI

Upgrade to a patched release: symfony/html-sanitizer 6.4.40, 7.4.12, or 8.0.12, and symfony/symfony 6.4.40. The fix (commit 743a435e948b897ef2b5564ac438d4beb95d2526 at https://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526) adds a preg_match guard that rejects any URL containing the 14 BiDi formatting code points before the URL parser runs. If an immediate upgrade is not possible, a targeted compensating control is to add a pre-processing step that strips or rejects U+202A-U+202E and U+2066-U+2069 from any URL value before it reaches HtmlSanitizer; this mirrors exactly what the patch does and carries no functional side effects for legitimate URLs since these code points have no valid role in a URL. A more disruptive but complete alternative is to disable href and src allowlisting in the HtmlSanitizer policy entirely, which eliminates the attack surface but also removes all hyperlink and media embedding from sanitized output. The official advisory is at https://symfony.com/cve-2026-45064.

Share

EUVD-2026-44348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy