Detections
Analytics

Symfony and Symfony HTML Sanitizer Component 6.1.x < 6.4.40 / 7.0.x < 7.4.12 / 8.0.x 8.0.12 Multiple Vulnerabilities

medium Nessus Plugin ID 318792

Synopsis

A PHP library installed on the remote host is affected by multiple vulnerabilities.

Description

The version of Symfony and/or the Symfony HTML Sanitizer Component installed on the remote host is prior to 6.1.x prior to 6.4.40, 7.0.x prior to 7.4.12, 8.0.x prior to 8.0.12. and, therefore, affected by multiple vulnerabilities:

 - A visual spoofing vulnerability exists in Symfony Component HtmlSanitizer's UrlSanitizer due to failure to strip Unicode BiDi (bidirectional) formatting characters from URLs. An unauthenticated, remote attacker can exploit this, via crafted URLs containing directional override characters in sanitized content, to display misleading link text that visually differs from the actual destination, enabling phishing attacks against users who view the sanitized HTML. (CVE-2026-45064)

 - An allowlist bypass vulnerability exists in Symfony Component HtmlSanitizer's allowLinkHosts/allowLinkSchemes and allowMediaHosts/allowMediaSchemes configuration methods due to parsing discrepancies between RFC-3986 (server-side) and WHATWG URL Standard (browser-side), and incorrect element type checking for tags. An unauthenticated, remote attacker can exploit this, via crafted URLs using backslash/slash normalization differences or misclassified elements, to bypass host and scheme allowlists and inject malicious off-allowlist URLs into sanitized content. (CVE-2026-45066)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Also note that this plugin does not distinguish between PHP packages installed via the OS package manager, PHP packages installed via Composer, or other sources. As a result, packages provided by your OS package repository may have backported fixes that this plugin may incorrectly report as vulnerable. Please refer to the OS-specific plugins for CVE-2026-45064 and CVE-2026-45066 to check for backported fixes.

Solution

Upgrade Symfony and/or its affected Components to version 6.4.40, 7.4.12, 8.0.12, or later.

See Also

http://www.nessus.org/u?d31f9ef4

https://github.com/advisories/GHSA-h5vq-qfcg-4m6p

http://www.nessus.org/u?ea8c7dcd

https://github.com/advisories/GHSA-qc95-4862-92fh

Plugin Details

Severity: Medium

ID: 318792

File Name: symfony_components_GHSA-h5vq-qfcg-4m6p.nasl

Version: 1.1

Type: Local

Agent: windows

Family: Misc.

Published: 6/5/2026

Updated: 6/5/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-45064

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/a:sensiolabs:symfony

Required KB Items: language_library/package/composer/enumerated

Patch Publication Date: 5/28/2026

Vulnerability Publication Date: 5/28/2026

Reference Information

CVE: CVE-2026-45064, CVE-2026-45066

IAVB: 2026-B-0140