CVE-2026-45071

Name of the Vulnerable Software and Affected Versions symfony/dom-crawler (affected versions not specified)

Description The Crawler::addXmlContent() function in symfony/dom-crawler sets DOMDocument::$validateOnParse to true before calling loadXML(). This action re-enables libxml's DTD subset processing, which allows for external entity resolution. While LIBXML NONET is used to block network fetches, it does not prevent the resolution of file:// entities. Consequently, an attacker can provide a crafted XML document containing a SYSTEM "file:///etc/passwd" entity to achieve local file disclosure.

Recommendations Update to a version where the Crawler::addXmlContent() method no longer sets the validateOnParse flag.