| CVE-2026-45064 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony's HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing |
| CVE-2026-45066 |
medium |
— |
5.5 |
|
|
|
17d ago |
Symfony has an HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and <area> Misclassification |
| CVE-2026-48760 |
unknown |
— |
— |
|
|
|
11d ago |
CVE-2026-48760: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense |
| CVE-2026-48761 |
unknown |
— |
— |
|
|
|
11d ago |
CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content |
| CVE-2026-45753 |
unknown |
— |
— |
|
|
|
17d ago |
Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS) |
