CVE-2026-45064

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.31

Description The parse() function in SymfonyComponentHtmlSanitizerTextSanitizerUrlSanitizer (utilized by UrlSanitizer::sanitize() and any HtmlSanitizer configuration permitting links or media) fails to filter Unicode explicit-direction BiDi formatting characters (U+202A–U+202E and U+2066–U+2069). These characters are passed unchanged into href and src attributes. When rendered in a browser, these characters can alter the visual ordering of the URL text, allowing the displayed link to differ from the actual destination, which enables visual spoofing and phishing attacks.

Recommendations Update to version 5.4.31 or later. As a temporary workaround, restrict the use of the parse() function or the HtmlSanitizer configurations that allow links and media until the update is applied.