CVE-2026-45066

Name of the Vulnerable Software and Affected Versions symfony/html-sanitizer versions prior to 5.4

Description Three bypasses allow content authors to smuggle URLs that are not on the allowlist past sanitization checks. The first bypass occurs because UrlSanitizer::parse() follows RFC-3986, whereas browsers follow the WHATWG URL Standard, which normalizes backslashes (``) to forward slashes (/) before parsing the authority of special schemes. This allows an input like https://evil@trusted.com/ to be parsed as trusted.com on the server but navigate to https://evil/ in the browser. The second bypass involves the WHATWG standard collapsing multiple forward slashes after a scheme into //, while RFC-3986 does not; consequently, inputs like https:/evil.com/ or https:///evil.com/ are parsed as host-less, skipping the host allowlist, but resolve to evil.com in the browser. The third bypass exists in UrlAttributeSanitizer, which only applies the link policy to <a> elements. Since <area> elements are also navigable hyperlinks, they were incorrectly sanitized against the media policy, bypassing allowLinkHosts() and allowLinkSchemes() entirely.

Recommendations Update to version 5.4 or later.