User Interface (UI) Misrepresentation of Critical Information in symfony/html-sanitizer | CVE-2026-45064

Q: How to fix?

Upgrade symfony/html-sanitizer to version 6.4.40, 7.4.12, 8.0.12 or higher.

Introduced: 20 May 2026

NewCVE-2026-45064 (opens in a new tab) CWE-451 (opens in a new tab)

How to fix?

Upgrade symfony/html-sanitizer to version 6.4.40, 7.4.12, 8.0.12 or higher.

Overview

symfony/html-sanitizer is a Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.

Affected versions of this package are vulnerable to User Interface (UI) Misrepresentation of Critical Information via UrlSanitizer::parse() in the HtmlSanitizer component. An attacker can perform visual spoofing or phishing attacks by supplying URLs containing Unicode bidirectional formatting characters, which are preserved in sanitized href and src attributes. When rendered in a browser, these characters alter the visual ordering of the displayed URL, causing it to appear different from the actual destination.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
Low
Integrity (SI)
None
Availability (SA)
Low

User Interface (UI) Misrepresentation of Critical Information Affecting symfony/html-sanitizer package, versions <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12

Severity

Do your applications use this vulnerable package?

Introduced: 20 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk