CVE-2026-45071: Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit’s HttpBrowser uses it to parse fetched pages.
Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml’s DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml
- github.com/advisories/GHSA-x6g4-fwcc-jj8w
- github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d
- github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w
- nvd.nist.gov/vuln/detail/CVE-2026-45071
- symfony.com/cve-2026-45071
Code Behaviors & Features
Detect and mitigate CVE-2026-45071 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →