security-advisories/symfony/html-sanitizer/CVE-2026-45064.yaml at master · FriendsOfPHP/security-advisories · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
title:     "CVE-2026-45064: HtmlSanitizer URL Attributes Pass Through BiDi Override Characters → Visual href Spoofing"
link:      https://symfony.com/cve-2026-45064
cve:       CVE-2026-45064
branches:
    6.1.x:
        time:     ~
        versions: ['>=6.1.0', '<6.2.0']
    6.2.x:
        time:     ~
        versions: ['>=6.2.0', '<6.3.0']
    6.3.x:
        time:     ~
        versions: ['>=6.3.0', '<6.4.0']
    6.4.x:
        time:     2026-05-20 08:00:00
        versions: ['>=6.4.0', '<6.4.40']
    7.0.x:
        time:     ~
        versions: ['>=7.0.0', '<7.1.0']
    7.1.x:
        time:     ~
        versions: ['>=7.1.0', '<7.2.0']
    7.2.x:
        time:     ~
        versions: ['>=7.2.0', '<7.3.0']
    7.3.x:
        time:     ~
        versions: ['>=7.3.0', '<7.4.0']
    7.4.x:
        time:     2026-05-20 08:00:00
        versions: ['>=7.4.0', '<7.4.12']
    8.0.x:
        time:     2026-05-20 08:00:00
        versions: ['>=8.0.0', '<8.0.12']
reference: composer://symfony/html-sanitizer