CVE-2026-45064
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and
CVSS
6.1
Medio
EPSS
0.3%
p21
KEV
—
Exploit Today
6
0-100
Publicado: 14 jul 2026 · Última mod.: 15 jul 2026 · CWE-451 · CWE-1007
0.3%EPSS · 30 días0.5%
2026-07-152026-07-16
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
- github.comhttps://github.com/symfony/symfony/commit/743a435e948b897ef2b5564ac438d4beb95d2526
- github.comhttps://github.com/symfony/symfony/releases/tag/v6.4.40
- github.comhttps://github.com/symfony/symfony/releases/tag/v7.4.12
- github.comhttps://github.com/symfony/symfony/releases/tag/v8.0.12
- github.comhttps://github.com/symfony/symfony/security/advisories/GHSA-h5vq-qfcg-4m6p
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-38616.5 MED22.4%
——7LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.9dCVE-2026-138926.5 MED20.2%
——6Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)16dCVE-2026-487606.1 MED17.8%
——5Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.2dCVE-2026-139856.5 MED16.9%
——5Inappropriate implementation in MediaCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)15dCVE-2026-45150—16.6%
——5Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.2dCVE-2026-454885.4 MED16.2%
——5User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.10d