CVE-2026-45071
Symfony · Symfony
An XML External Entity (XXE) vulnerability in the Symfony DomCrawler component allows unauthenticated attackers to potentially read sensitive local files.
Executive summary
A High severity XML External Entity injection vulnerability in the Symfony DomCrawler component could allow unauthenticated attackers to access sensitive system files.
Vulnerability
This is an XML External Entity (XXE) injection vulnerability (CWE-611) triggered when the DomCrawler component improperly handles XML input. The flaw is exploitable by unauthenticated remote actors.
Business impact
Successful exploitation allows an attacker to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, or sensitive application data. With a CVSS score of 8.7, the impact on confidentiality is severe, posing a direct threat to the security of the hosting environment.
Remediation
Immediate Action: Apply the vendor-provided security updates by upgrading to versions 5.4.52, 6.4.40, 7.4.12, or 8.0.12.
Proactive Monitoring: Audit application logs for XML-based requests containing suspicious entity definitions or attempts to access local file paths.
Compensating Controls: Ensure that XML parsers are configured to disable the resolution of external entities and DTDs as a defense-in-depth measure.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The risk posed by this XXE vulnerability is significant. Administrators must ensure that the DomCrawler component is updated to the patched versions immediately to prevent unauthorized information disclosure.