Listen to this Post
How CVE-2026-45064 (and CVE-2026-48760) Work
The Symfony `HtmlSanitizer` component is used to clean untrusted HTML, preventing XSS and other injection attacks. A critical component of this is the `UrlSanitizer::parse()` method, which sanitizes URLs inside attributes like `href` and src. The original defense mechanism was designed to reject URLs containing certain malicious patterns. However, researchers discovered multiple ways to bypass these filters, creating a significant visual-spoofing vulnerability (CVE-2026-45064) and a related filter bypass for Unicode characters (CVE-2026-48760).
The core issue (CVE-2026-45064) lies in the handling of Unicode Bidirectional (BiDi) formatting characters. These are special control characters used to dictate the direction of text (e.g., left-to-right or right-to-left) in environments that support complex scripts. The key BiDi characters are the Explicit-Direction formatting codes: U+202A–U+202E (LRE, RLE, PDF, LRO, RLO) and U+2066–U+2069 (LRI, RLI, FSI, PDI). An attacker can insert these characters into a URL, e.g., <a href="https://evil.com">.
When a browser renders the sanitized HTML, it processes these BiDi control characters. Because the sanitizer failed to strip them out, they are passed directly to the `href` attribute. A malicious actor could use a sequence like https://[U+202E]evil.com/example.com`. To the user, the BiDi override might cause the string to be rendered in reverse, making the link’s visual text appear as `example.com` even though the actual destination isevil.com.example .com
The original filter only looked for the raw UTF-8 bytes of these control characters. It completely failed to check for their percent-encoded equivalents, such as `%E2%80%AE` (for U+202E) or `%E2%81%A6` (for U+2066). These encoded forms would bypass the regex filter, survive the parsing cycle of the `league/uri` library, and be emitted unchanged in the final sanitized URL. Any downstream consumer that later decoded the URL (like a phishing-detection filter or audit log dashboard) would restore the BiDi character and the visual spoof, negating the original defense.
The second component of this vulnerability, more deeply explored in CVE-2026-48760, is the mishandling of Unicode whitespace. The `UrlSanitizer::parse()` method used a ASCII-only `/\s/` whitespace check. In PCRE, without the `/u` modifier, `\s` only matches ASCII whitespace (space, tab, newline, etc.). This allowed a wide range of Unicode whitespace characters to pass through untouched, both in raw and percent-encoded forms. Characters like NBSP (U+00A0), the Zero-Width No-Break Space (U+FEFF), Ogham Space (U+1680) , or the en/em quad family (U+2000–U+200A) bypassed the filter. An attacker could insert `example .com` (with a non-breaking space) or use percent-encoded forms like `%C2%A0` to circumvent `allowLinkHosts` allow-lists. When a consumer strips whitespace during comparison, the intended host `example.com` is allowed, but the actual, parsed host becomes, which could point to a malicious server. The fix for these issues was to reject both raw and percent-encoded BiDi marks and Unicode whitespace in all parsed URL components.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Symfony HtmlSanitizer
Version: 6.1.0 ≤ v < 6.4.40, 7.0.0 ≤ v < 7.4.12, 8.0.0 ≤ v < 8.0.12
Vulnerability : CVE-2026-45064 (UI Misrepresentation)
Severity: Medium (CVSS 5.3)
date: 2026-05-20
<h2 style="color: blue;">Prediction: Fixed in v6.4.40, v7.4.12, v8.0.12 (2026-05-27)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Analytics and detection methods for CVE-2026-45064 can be implemented using various command-line tools. To identify if an application is vulnerable, an engineer can scan for the presence of the affected `symfony/html-sanitizer` package versions using Composer.
Check currently installed version of symfony/html-sanitizer composer show symfony/html-sanitizer Check for known vulnerable versions in the composer.lock file composer audit Grep for vulnerable version ranges in composer.lock cat composer.lock | grep -A 10 '"name": "symfony/html-sanitizer"' | grep '"version"'
For a more aggressive search, one can scan system files for the unpatched `UrlSanitizer.php` and check for the presence of the vulnerable regex pattern.
Find the UrlSanitizer.php file in the vendor directory
find ./vendor -name "UrlSanitizer.php" -exec grep -Hn "explicit-direction BiDi" {} \;
Check for the vulnerable ASCII-only whitespace regex pattern
find ./vendor -name "UrlSanitizer.php" -exec grep -HPn "(?<!/u)\\\s" {} \;
<h2 style="color: blue;">Exploit:</h2>
An attacker could exploit this vulnerability by injecting a crafted URL into a comment, forum post, or any other user-submitted content that is processed by theHtmlSanitizer. The payload would leverage BiDi override characters or Unicode whitespace.Click Here
BiDi Spoofing Payload:. When rendered, the BiDi override could force the visible text to appear as a trusted domain while pointing to a malicious site.Click Here
Whitespace Bypass Payload:. The `allowLinkHosts` filter might see `example.com` after stripping ASCII space, but the browser would parse the actual host as `example .com` (with an NBSP), resolving to a different IP.Click Here`. The percent-encoded BiDi character bypasses the initial filter and is decoded by the browser, enabling the visual spoof.
Percent-Encoded BiDi:
Protection:
The primary protection against this vulnerability is to immediately upgrade the `symfony/html-sanitizer` component to a patched version.
composer update symfony/html-sanitizer Or, to ensure the latest patched versions are installed: composer require symfony/html-sanitizer:^6.4.40 composer require symfony/html-sanitizer:^7.4.12 composer require symfony/html-sanitizer:^8.0.12
If immediate upgrading is not possible, a temporary workaround is to implement a Web Application Firewall (WAF) rule to block requests containing these specific Unicode ranges or their percent-encoded forms before they reach the application. However, upgrading is the only complete fix, as the patch now properly denies these characters in both raw and decoded forms for all URL components.
Impact:
The impact of this vulnerability is moderate to high for applications that accept untrusted HTML input and display user-generated content. A successful attack could lead to highly effective phishing campaigns. Attackers could create comment sections or user profiles where a link visually appears to point to `accounts.google.com` but actually directs the user to a malicious credential-harvesting server. This undermines the trust and security guarantees provided by the sanitization library, potentially leading to credential theft, session hijacking, or the distribution of malware. The CVSS score of 5.3 (Medium) reflects the need for user interaction (the user must click the link) and the resultant impact on integrity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
