CVE-2026-45753
Received Received - Intake

Cross-Site Scripting in Symfony Framework

Vulnerability report for CVE-2026-45753, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes() omits URL-valued attributes including action, formaction, poster, and cite, so configurations that admit those attributes can leave javascript: URIs unsanitized and enable XSS when the resulting HTML is rendered or a victim submits a form or clicks a button. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
symfony symfony 6.4.40
symfony symfony 7.4.12
symfony symfony 8.0.12
symfony symfony From 6.1.0-BETA1 (inc) to 6.4.40 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45753 is a vulnerability in the Symfony PHP framework, specifically in the HtmlSanitizer component's UrlAttributeSanitizer class. The issue occurs because the sanitizer fails to validate certain URL-valued HTML attributes, including action, formaction, poster, and cite.

This omission allows malicious javascript: URIs to remain unsanitized in these attributes. When the resulting HTML is rendered or when a user interacts with a form or button, this can lead to cross-site scripting (XSS) attacks. The vulnerability affects Symfony versions from 6.1.0-BETA1 up to but not including 6.4.40, 7.4.12, and 8.0.12.

  • The vulnerability is fixed in versions 6.4.40, 7.4.12, and 8.0.12 by including the previously omitted attributes in the sanitization process.
Impact Analysis

This vulnerability can impact you if you use the Symfony framework with configurations that allow the affected HTML attributes (action, formaction, poster, or cite) in untrusted input. The impact includes:

  • Cross-Site Scripting (XSS) attacks: Attackers can inject malicious JavaScript code into web pages, which executes when users interact with the page (e.g., submitting a form or clicking a button).
  • Compromised user data: XSS attacks can steal sensitive information, such as session cookies, credentials, or other personal data, from users visiting the affected page.
  • Unauthorized actions: Attackers can perform actions on behalf of users, such as changing account settings or making unauthorized transactions.

The vulnerability requires user interaction for attributes like action and formaction, while poster and cite can be exploited without additional interaction.

Compliance Impact

This vulnerability can affect compliance with several common standards and regulations, including:

  • GDPR (General Data Protection Regulation): XSS vulnerabilities can lead to unauthorized access to personal data, violating GDPR's requirements for data protection and privacy. Organizations may face fines or legal consequences if user data is compromised due to this vulnerability.
  • HIPAA (Health Insurance Portability and Accountability Act): If the affected application handles protected health information (PHI), an XSS attack could expose sensitive patient data, leading to non-compliance with HIPAA's security and privacy rules.
  • PCI DSS (Payment Card Industry Data Security Standard): If the application processes payment card data, an XSS vulnerability could result in the theft of cardholder information, violating PCI DSS requirements for securing cardholder data.
  • ISO 27001: This standard requires organizations to implement controls to manage information security risks. An unpatched XSS vulnerability could indicate a failure to meet these requirements, potentially leading to non-compliance.

Addressing this vulnerability by applying the provided patches is essential to maintaining compliance with these standards and regulations.

Detection Guidance

Detecting this vulnerability requires checking if your Symfony application uses the HtmlSanitizer component with permissive configurations that allow the affected URL-valued attributes (action, formaction, poster, or cite). Since this is a code-level vulnerability, detection involves inspecting the application's configuration and dependencies.

  • Check the Symfony version: Verify if your application is running an affected version (6.1.0-BETA1 to 6.4.39, 7.0.0 to 7.4.11, or 8.0.0 to 8.0.11). You can do this by running `composer show symfony/symfony` or checking the `composer.lock` file for the installed version.
  • Inspect HtmlSanitizer configurations: Look for code that uses `allowElement()` with permissive settings like `allowElement('form', '*')` or `allowStaticElements()`, as these may allow the vulnerable attributes. Search for `UrlAttributeSanitizer` usage in your codebase.
  • Review HTML input handling: Check if your application processes untrusted HTML input containing the attributes `action`, `formaction`, `poster`, or `cite`. This may require manual code review or static analysis tools to identify potential XSS vectors.
  • Test for XSS payloads: If you have a test environment, you can attempt to inject benign XSS payloads (e.g., `<form action="javascript:alert(1)">`) to see if they are sanitized. If the payload executes, the vulnerability may be present.
Mitigation Strategies

To mitigate CVE-2026-45753, follow these steps:

  • Upgrade Symfony: Update to the latest patched version (6.4.40, 7.4.12, or 8.0.12) immediately. Run `composer update symfony/symfony` to apply the fix.
  • Review HtmlSanitizer configurations: If upgrading is not immediately possible, restrict the use of permissive configurations like `allowElement('form', '*')` or `allowStaticElements()`. Instead, explicitly allow only the attributes and elements your application requires.
  • Sanitize untrusted HTML input: Ensure all user-provided HTML is passed through the HtmlSanitizer with strict attribute validation. Avoid allowing URL-valued attributes unless absolutely necessary.
  • Monitor for malicious input: Implement input validation and logging to detect attempts to exploit this vulnerability, such as submissions containing `javascript:` or `data:` URIs in the affected attributes.
  • Apply temporary workarounds: If upgrading is delayed, consider manually patching the `UrlAttributeSanitizer` class to include the missing attributes (`action`, `formaction`, `poster`, and `cite`) in the sanitization process, as described in Resource 1.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45753. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart