{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "6.1.0"
              },
              {
                "fixed": "6.4.41"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.4.13"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.0.13"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "7350abfec0228dabb8dafde17d8a821f65c6dd4f"
            },
            {
              "fixed": "1a01cd7a6313d5a375480e0d1d4a0ddf834ae12b"
            },
            {
              "introduced": "f84d7d3c93e6a884908402775199b1f7d55c7be1"
            },
            {
              "fixed": "da3c28025a664e6a88e1af104a74457d99301161"
            },
            {
              "introduced": "bea6dc79db4d95c34b77ec27273d812aa64d65be"
            },
            {
              "fixed": "ca895c1303cc1d290f190cd7301d48fcef9e73e5"
            }
          ],
          "repo": "https://github.com/symfony/security-http",
          "type": "GIT"
        },
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "6.1.0"
              },
              {
                "fixed": "6.4.41"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.4.13"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.0.13"
              }
            ],
            "source": [
              "CPE_RANGE",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "c149a0868823d1b0cc01052f4031af2d507c7c9c"
            },
            {
              "fixed": "14ff191853ad60d640c0853b4f17fc0f3b4de0ae"
            },
            {
              "introduced": "d78c5f403d7ee794993660b1d5155536edd36fc1"
            },
            {
              "fixed": "d9981b6e4c77b97472845a9b7fcba5507208aacc"
            },
            {
              "introduced": "2e913a829cfbbf9cb38b321bdff1806b44b192eb"
            },
            {
              "fixed": "ad82cb517407582bb697e079c5ee62bf8b7af3b7"
            },
            {
              "fixed": "b21a626fd90f5c12d2db432c629eed3e780ba2f8"
            }
          ],
          "repo": "https://github.com/symfony/symfony",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-v3wm-qf9p-c549"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-1007",
      "CWE-451"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48760.json"
  },
  "details": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.",
  "id": "CVE-2026-48760",
  "modified": "2026-07-17T03:42:00.268349534Z",
  "published": "2026-07-14T19:11:42.179Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v8.0.13"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48760.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-v3wm-qf9p-c549"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48760"
    },
    {
      "type": "FIX",
      "url": "https://github.com/symfony/symfony/commit/b21a626fd90f5c12d2db432c629eed3e780ba2f8"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense"
}