CVE-2026-45753

Name of the Vulnerable Software and Affected Versions symfony/html-sanitizer versions prior to 6.4

Description The UrlAttributeSanitizer visitor fails to validate the schemes of several URL-valued attributes because they are missing from the getSupportedAttributes() list. Specifically, the action attribute in <form>, the formaction attribute in <button> and <input type=image>, the poster attribute in <video>, and the cite attribute in <blockquote>, <q>, <del>, and <ins> are not processed for scheme validation. Consequently, if a configuration is deliberately permissive—such as using allowElement() with a wildcard or the allowStaticElements() preset—a javascript: URI can bypass sanitization. For action and formaction attributes, exploitation requires the victim to submit the form or click the button.

Recommendations Update to version 6.4 or later. As a temporary workaround, avoid using the allowStaticElements() preset or permissive configurations that allow the action, formaction, cite, or poster attributes until the update is applied.