Vulnerability DatabaseCVE-2026-45071
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-45071
Published:May 31, 2026
Updated:May 31, 2026
Description "symfony/dom-crawler" provides the "Crawler" class for navigating HTML/XML documents with CSS/XPath selectors; "symfony/browser-kit"'s "HttpBrowser" uses it to parse fetched pages. "Crawler::addXmlContent()" sets "DOMDocument::$validateOnParse = true" before calling "loadXML()". Setting "validateOnParse" re-enables libxml's DTD subset processing, including external entity resolution, even though "LIBXML_NONET" is passed. "LIBXML_NONET" blocks network fetches but not "file://" entities. An attacker-supplied XML document with a "SYSTEM "file:///etc/passwd"" entity is therefore expanded. Resolution The "Crawler::addXmlContent" method does not set the "validateOnParse" flag anymore. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Affected Packages
https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v2.0.0BETA1 <v5.4.52
Fix Suggestion:
Update to version v5.4.52
https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v7.0.0 <v7.4.12
Fix Suggestion:
Update to version v7.4.12
https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v8.0.0 <v8.0.12
Fix Suggestion:
Update to version v8.0.12
https://github.com/symfony/symfony.git (GITHUB):
Affected version(s) >=v6.0.0 <v6.4.40
Fix Suggestion:
Update to version v6.4.40
symfony/symfony (PHP):
Affected version(s) >=v7.0.0 <v7.4.12
Fix Suggestion:
Update to version v7.4.12
symfony/dom-crawler (PHP):
Affected version(s) >=v7.0.0 <v7.4.12
Fix Suggestion:
Update to version v7.4.12
symfony/symfony (PHP):
Affected version(s) >=v8.0.0 <v8.0.12
Fix Suggestion:
Update to version v8.0.12
symfony/symfony (PHP):
Affected version(s) >=v6.0.0 <v6.4.40
Fix Suggestion:
Update to version v6.4.40
symfony/dom-crawler (PHP):
Affected version(s) >=v6.0.0 <v6.4.40
Fix Suggestion:
Update to version v6.4.40
symfony/dom-crawler (PHP):
Affected version(s) >=v8.0.0 <v8.0.12
Fix Suggestion:
Update to version v8.0.12
symfony/symfony (PHP):
Affected version(s) >=dev-binary-options <v5.4.52
Fix Suggestion:
Update to version v5.4.52
symfony/dom-crawler (PHP):
Affected version(s) >=v2.0.0 <v5.4.52
Fix Suggestion:
Update to version v5.4.52
Related Resources (6)
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml
https://github.com/symfony/symfony
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml
https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w
https://symfony.com/cve-2026-45071
https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d
Do you need more information?
Contact Us
CVSS v4
Base Score:
1.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Restriction of XML External Entity Reference
CWE-611