Main Vulnerability Database Vulnerabilities #VU132058

Cross-site scripting in Symfony - CVE-2026-45753

Published: May 21, 2026

Vulnerability identifier: #VU132058

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-45753

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SensioLabs

Affected software:
Symfony

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to incomplete neutralization of dangerous URL schemes in UrlAttributeSanitizer when sanitizing untrusted HTML with allowed action, formaction, poster, or cite attributes. A remote attacker can supply specially crafted HTML containing a javascript: URI to execute arbitrary script in the victim's browser.

User interaction is required in the action and formaction cases because the victim must submit the form or click the button, and exploitation requires a deliberately permissive sanitizer configuration that allows the affected attributes.

How to mitigate CVE-2026-45753

Install security update from vendor's website.

Cross-site scripting in Symfony - CVE-2026-45753

Detailed vulnerability description

How to mitigate CVE-2026-45753

Sources

Please verify you're human