Interpretation Conflict Affecting symfony/html-sanitizer package, versions <6.4.40>=7.0.0-BETA1, <7.4.12>=8.0.0-BETA1, <8.0.12
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-SYMFONYHTMLSANITIZER-16873894
- published24 May 2026
- disclosed20 May 2026
- creditClaude Mythos
Introduced: 20 May 2026
NewCVE-2026-45066 (opens in a new tab)How to fix?
Upgrade symfony/html-sanitizer to version 6.4.40, 7.4.12, 8.0.12 or higher.
Overview
symfony/html-sanitizer is a Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.
Affected versions of this package are vulnerable to Interpretation Conflict via URL parsing and policy enforcement in UrlSanitizer/UrlAttributeSanitizer. An attacker can bypass configured link or media host/scheme allowlists by supplying crafted URLs that are interpreted differently by Symfony’s RFC-3986-style parser and browsers’ WHATWG URL handling, or by using <area href> elements that are checked against the wrong policy. This allows off-allowlist destinations to survive sanitization and be rendered as trusted links or media URLs.