PatchSiren cyber security CVE debrief
CVE-2026-45066 symfony CVE debrief
CVE-2026-45066 is a low-severity vulnerability in Symfony's HtmlSanitizer component. The issue allows off-allowlist URLs to pass through certain methods, such as allowLinkHosts() or allowMediaHosts(), due to differences in URL parsing between UrlSanitizer::parse() and browser behavior. This vulnerability affects Symfony versions from 6.1.0-BETA1 to 6.4.40, 7.4.12, and 8.0.12. The issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. Affected deployments should be reviewed for exposure and updated to a fixed version.
- Vendor
- symfony
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Developers and administrators using Symfony versions 6.1.0-BETA1 to 6.4.40, 7.4.12, and 8.0.12 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing URL sanitization policies and monitoring for potential exploitation attempts.
Technical summary
The vulnerability arises from the HtmlSanitizer component's URL sanitization mechanism, which allows off-allowlist URLs through certain methods. This is due to the component following RFC 3986 for URL parsing, while browsers use the WHATWG URL parsing standard. Specifically, the issue occurs with <area href> tags, which are checked against the media policy rather than the link policy. The vulnerability has a CVSS score of 2.3 and is classified as low severity. Defenders should review and update URL sanitization policies to mitigate this vulnerability.
Defensive priority
Low
Recommended defensive actions
- Update Symfony to version 6.4.40, 7.4.12, or 8.0.12
- Review and update URL sanitization policies
- Monitor for potential exploitation attempts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-14T18:17:16.703Z and last modified on 2026-07-16T15:16:31.367Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected Symfony versions and configurations.
Official resources
-
CVE-2026-45066 CVE record
CVE.org
-
CVE-2026-45066 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T18:17:16.703Z and has not been modified since then. The NVD entry is currently Analyzed.