{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "6.1.0-BETA1"
              },
              {
                "fixed": "6.4.40"
              },
              {
                "introduced": "7.0.0-BETA1"
              },
              {
                "fixed": "7.4.12"
              },
              {
                "introduced": "8.0.0-BETA1"
              },
              {
                "fixed": "8.0.12"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "af7ed84e9feaf65ff3dfc25d15d464fdb0dedf4e"
            },
            {
              "fixed": "95a951788e30c45356278f4e4472cbbf552d0eb9"
            },
            {
              "introduced": "ed57652df42aef294f411ef53dcfa5d6b7da2f90"
            },
            {
              "fixed": "275f5cbccbcc50205206f05e599c4f57009aadb8"
            },
            {
              "introduced": "eca48f1c4682ee0c55a2d320ca25d8292ed48f75"
            },
            {
              "fixed": "06d3b2c9a8aeb5d8493738cc51e24f6a1215827c"
            }
          ],
          "repo": "https://github.com/symfony/symfony",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-qc95-4862-92fh"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-184",
      "CWE-436"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45066.json"
  },
  "details": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, HtmlSanitizer URL sanitization can allow off-allowlist URLs through allowLinkHosts() or allowMediaHosts() because UrlSanitizer::parse() follows RFC 3986 while browsers follow WHATWG URL parsing, and because \u003carea href\u003e is checked against the media policy rather than the link policy. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.",
  "id": "CVE-2026-45066",
  "modified": "2026-07-15T01:49:21.894441735Z",
  "published": "2026-07-14T17:53:49.836Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45066.json"
    },
    {
      "type": "FIX",
      "url": "https://github.com/symfony/symfony/commit/d506b556d3d3906f3e8660ad82257ce87edbaac4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v6.4.40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v7.4.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v8.0.12"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qc95-4862-92fh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45066"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony: HtmlSanitizer allowLinkHosts() / allowMediaHosts() Bypass via URL-Parser Differentials and \u003carea\u003e Misclassification"
}