CVE-2026-45071

Symfony · Symfony

An XML External Entity (XXE) vulnerability in the Symfony DomCrawler component allows unauthenticated attackers to potentially read sensitive local files.

Executive summary

A High severity XML External Entity injection vulnerability in the Symfony DomCrawler component could allow unauthenticated attackers to access sensitive system files.

Vulnerability

This is an XML External Entity (XXE) injection vulnerability (CWE-611) triggered when the DomCrawler component improperly handles XML input. The flaw is exploitable by unauthenticated remote actors.

Business impact

Successful exploitation allows an attacker to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, or sensitive application data. With a CVSS score of 8.7, the impact on confidentiality is severe, posing a direct threat to the security of the hosting environment.

Remediation

Immediate Action: Apply the vendor-provided security updates by upgrading to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12.

Proactive Monitoring: Audit application logs for XML-based requests containing suspicious entity definitions or attempts to access local file paths.

Compensating Controls: Ensure that XML parsers are configured to disable the resolution of external entities and DTDs as a defense-in-depth measure.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The risk posed by this XXE vulnerability is significant. Administrators must ensure that the DomCrawler component is updated to the patched versions immediately to prevent unauthorized information disclosure.