{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "6.1.0"
              },
              {
                "fixed": "6.4.41"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.4.13"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.0.13"
              }
            ],
            "source": "CPE_RANGE"
          },
          "events": [
            {
              "introduced": "7350abfec0228dabb8dafde17d8a821f65c6dd4f"
            },
            {
              "fixed": "1a01cd7a6313d5a375480e0d1d4a0ddf834ae12b"
            },
            {
              "introduced": "f84d7d3c93e6a884908402775199b1f7d55c7be1"
            },
            {
              "fixed": "da3c28025a664e6a88e1af104a74457d99301161"
            },
            {
              "introduced": "bea6dc79db4d95c34b77ec27273d812aa64d65be"
            },
            {
              "fixed": "ca895c1303cc1d290f190cd7301d48fcef9e73e5"
            }
          ],
          "repo": "https://github.com/symfony/security-http",
          "type": "GIT"
        },
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "6.1.0"
              },
              {
                "fixed": "6.4.41"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.4.13"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.0.13"
              }
            ],
            "source": [
              "CPE_RANGE",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "c149a0868823d1b0cc01052f4031af2d507c7c9c"
            },
            {
              "fixed": "14ff191853ad60d640c0853b4f17fc0f3b4de0ae"
            },
            {
              "introduced": "d78c5f403d7ee794993660b1d5155536edd36fc1"
            },
            {
              "fixed": "d9981b6e4c77b97472845a9b7fcba5507208aacc"
            },
            {
              "introduced": "2e913a829cfbbf9cb38b321bdff1806b44b192eb"
            },
            {
              "fixed": "ad82cb517407582bb697e079c5ee62bf8b7af3b7"
            },
            {
              "fixed": "069a70f9f26e61e9de3b7f9a864a86ed24b36bd0"
            }
          ],
          "repo": "https://github.com/symfony/symfony",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-x5qj-865h-mgvm"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-1023",
      "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48761.json"
  },
  "details": "Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes() omitted URL-bearing attributes on \u003cobject\u003e, \u003capplet\u003e, \u003ciframe\u003e, and \u003cimg\u003e, and \u003cmeta http-equiv=\"refresh\"\u003e URLs inside content bypassed URL sanitization, allowing explicitly enabled elements or attributes to pass javascript: and similar payloads into sanitized output. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.",
  "id": "CVE-2026-48761",
  "modified": "2026-07-17T03:41:45.603175766Z",
  "published": "2026-07-14T19:21:26.582Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v6.4.41"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v7.4.13"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v8.0.13"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48761.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-x5qj-865h-mgvm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48761"
    },
    {
      "type": "FIX",
      "url": "https://github.com/symfony/symfony/commit/069a70f9f26e61e9de3b7f9a864a86ed24b36bd0"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on \u003cobject\u003e, \u003capplet\u003e, \u003ciframe\u003e, \u003cimg\u003e and the URL Inside \u003cmeta http-equiv=\"refresh\"\u003e content"
}