CVE-2026-45066 in Symfony
Summary
by MITRE • 07/14/2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because <area href> is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability in Symfony's HtmlSanitizer component represents a critical inconsistency between standardized URL parsing protocols that enables bypass of security restrictions intended to limit external resource access. This flaw affects versions from 6.1.0-BETA1 through 6.4.39, 7.4.11, and 8.0.11, creating a scenario where malicious actors can circumvent host allowlists configured through the allowLinkHosts() and allowMediaHosts() methods. The root cause stems from the fundamental difference in how the UrlSanitizer::parse() method processes URLs according to RFC 3986 standards versus browser implementations that follow WHATWG URL parsing rules. This protocol mismatch creates a gap where certain URL formats that would be rejected under RFC 3986 validation are accepted by browser-based parsing, allowing unauthorized external resources to be loaded.
The technical implementation of this vulnerability manifests through the incorrect application of security policies during URL validation. Specifically, when processing <area href> elements, the sanitizer incorrectly applies media policy checks rather than link policy validations, which creates an additional vector for bypassing host restrictions. This misapplication occurs because the HtmlSanitizer component fails to properly distinguish between different types of URL references within HTML elements, particularly those that serve different purposes in web applications. The vulnerability specifically targets the sanitization logic that handles cross-origin resource loading, where link policies should restrict external navigation while media policies govern embedded content.
From an operational perspective, this vulnerability exposes applications using affected Symfony versions to potential security risks including cross-site scripting attacks, malicious code execution through unauthorized resource loading, and data exfiltration via external domains. Attackers can exploit this inconsistency to load malicious scripts from unrestricted domains that would normally be blocked by host allowlists, potentially leading to full compromise of web applications. The impact extends beyond simple content rendering issues since it undermines the core security assumptions of the HtmlSanitizer component, which is designed to prevent untrusted HTML content from accessing external resources in a controlled manner. This vulnerability directly relates to CWE-20, "Improper Input Validation," and CWE-94, "Improper Control of Generation of Code," as it allows for the execution of unintended code through malformed URL handling.
The mitigation strategy requires immediate upgrade to patched versions 6.4.40, 7.4.12, and 8.0.12 where the parsing inconsistencies have been resolved through alignment with WHATWG URL standards and proper policy application. Organizations should also implement comprehensive security testing of HTML sanitization logic, particularly focusing on edge cases involving URL normalization and protocol handling. Additional defensive measures include thorough code reviews of custom HTML sanitization implementations, monitoring for unauthorized external resource access patterns, and implementing network-level controls to complement application-level protections. This vulnerability demonstrates the critical importance of maintaining consistency across parsing standards in security-critical components and aligns with ATT&CK technique T1203, "Exploitation for Client Execution," as it enables attackers to execute malicious code through browser-based URL handling mechanisms that bypass traditional security controls.