Listen to this Post
How CVE-2026-45753 Works
Symfony’s `html-sanitizer` component is designed to cleanse untrusted HTML before it is inserted into a DOM, preventing malicious code execution. At its core, the `UrlAttributeSanitizer` acts as a specialized visitor that iterates over every HTML element, validating URL-valued attributes and stripping out dangerous URI schemes like javascript:.
The vulnerability stems from an incomplete allow-list within the `UrlAttributeSanitizer::getSupportedAttributes()` method. This method returns the set of attributes that the sanitizer should inspect for URL schemes. In vulnerable versions, this list was limited to src, href, lowsrc, background, and ping. Critically, it omitted other HTML5 attributes that also accept URLs and can trigger script execution: `action` (on <form>), `formaction` (on `
DailyCVE Form
Platform: Symfony
Version: 6.1.0–6.4.39, 7.0.0–7.4.11, 8.0.0–8.0.11
Vulnerability: Cross-site Scripting (XSS)
Severity: Low (CVSS 4.0: 2.1)
Date: 2026-07-14
Prediction: 2026-07-15 (patch available)
What Undercode Say: Analytics
> CVSS Score: 2.1 (Low) – Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CWE: CWE-79 (Improper Neutralization of Input) & CWE-184 (Incomplete List of Disallowed Inputs)
EPSS: 0.08% (probability of exploitation in the wild)
Exploitation: None known; Automatable: No; Technical Impact: Partial
Bash Commands to Check Vulnerable Version:
Check your Symfony version via composer
composer show symfony/symfony | grep versions
Or for the standalone component
composer show symfony/html-sanitizer | grep versions
Check if you are vulnerable (example for version 6.4.39)
php -r "echo version_compare('6.4.39', '6.4.40', '<') ? 'Vulnerable' : 'Safe';"
Code Snippet Demonstrating the Flaw:
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
// Permissive configuration that allows 'action' on forms
$config = (new HtmlSanitizerConfig())
->allowElement('form', ['action']) // or allowElement('form', '')
->allowRelativeLinks(); // Optional, but doesn't affect the flaw
$sanitizer = new HtmlSanitizer($config);
// Malicious input with javascript: URI in action
$dirtyHtml = '<form action="javascript:alert(\'XSS\')"><input type="submit"></form>';
// Vulnerable versions will NOT strip the javascript: scheme
$cleanHtml = $sanitizer->sanitize($dirtyHtml);
echo $cleanHtml; //
<
form action="javascript:alert('XSS')">... (XSS persists)
Exploit
An attacker can exploit this vulnerability by injecting HTML containing `javascript:` URIs into attributes that are not validated. The most direct vectors are:
1. Form Action: `
