Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-45066

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because <area href> is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 36.6%
CVSS Severity
CVSS v3 Score 6.1
Products affected by CVE-2026-45066


Contact Us

Shodan ® - All rights reserved