1.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-45753

CVE-2026-45753: Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description

symfony/html-sanitizer lets applications sanitise untrusted HTML. UrlAttributeSanitizer is the visitor responsible for validating URL-valued attributes and stripping dangerous schemes from them; it runs on every element regardless of configuration. Whether an attribute is kept is decided by the element/attribute allow-list; validating the scheme of a URL attribute is solely UrlAttributeSanitizer's responsibility.

UrlAttributeSanitizer::getSupportedAttributes() returned only ['src', 'href', 'lowsrc', 'background', 'ping']. The HTML URL-valued attributes action (<form>), formaction (<button>, <input type=image>), poster (<video>) and cite (<blockquote>, <q>, <del>, <ins>) were missing from that list, so DomVisitor never invoked scheme validation for them. As a result, when a configuration admits one of those attributes, a javascript: URI in it survived sanitisation.

Conditions for exploitation

allowSafeElements() is not affected: <form> and the formaction attribute are both flagged unsafe in W3CReference, and allowElement('form') resets the element's attribute list. Reaching the vulnerable attributes requires a deliberately permissive configuration, for example:

<form> + action: allowElement('form', '*'), allowElement('form', ['action', …]), allowElement('form')->allowAttribute('action', 'form'), or the allowStaticElements() preset (whose docblock already warns the output "may still contain other dangerous behaviors");

Miggo Vulnerability Database

→

CVE-2026-45753

CVE-2026-45753:

1.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/html-sanitizer	composer	>= 6.1.0, < 6.4.40	6.4.40
symfony/html-sanitizer	composer	>= 7.0.0, < 7.4.12	7.4.12
symfony/html-sanitizer	composer	>= 8.0.0, < 8.0.12	8.0.12
symfony/symfony	composer	>= 6.1.0, < 6.4.40	6.4.40
symfony/symfony	composer	>= 7.0.0, < 7.4.12	7.4.12
symfony/symfony	composer	>= 8.0.0, < 8.0.12	8.0.12

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the UrlAttributeSanitizer in Symfony's HTML Sanitizer had an incomplete list of attributes that it was responsible for sanitizing. The function UrlAttributeSanitizer::getSupportedAttributes() did not include action, formaction, poster, and cite. This omission meant that if an application's configuration allowed any of these attributes on HTML elements, the sanitizer would not check them for dangerous URL schemes like javascript:. An attacker could exploit this by injecting a payload such as <form action="javascript:alert(1)"> which would be missed by the sanitizer. The vulnerability is not in the processing of the URL itself, but in the failure to identify that these attributes should be processed in the first place. Therefore, the root cause is the incomplete list provided by getSupportedAttributes(). The fix involved updating this function to include the missing attributes, ensuring they are passed to the URL validation logic.

Vulnerable functions

Symfony\Component\HtmlSanitizer\Visitor\UrlAttributeSanitizer::getSupportedAttributes

src/Symfony/Component/HtmlSanitizer/Visitor/UrlAttributeSanitizer.php

This function is vulnerable because it returns an incomplete list of URL-valued attributes that require sanitization. By omitting 'action', 'formaction', 'poster', and 'cite', it allows potentially malicious URLs (e.g., 'javascript:') in these attributes to bypass security checks when a permissive configuration is used, leading to a Cross-Site Scripting (XSS) vulnerability.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-45753: Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description

Conditions for exploitation

CVE-2026-45753:

1.2

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Detect and Respond To Threats Faster.

Technical Details

1.2

1.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

CVE-2026-45753: Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description

Conditions for exploitation

Basic Information

Basic Information

Resolution

Credits

1.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-45753: Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description

Conditions for exploitation

CVE-2026-45753:

1.2

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

1.2

1.2

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

CVE-2026-45753: Symfony's HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — `javascript`: URI Survives Sanitization (XSS)

Description

Conditions for exploitation

Basic Information

Basic Information

Resolution

Credits

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI