Vulnerable Library - uploadcare3.0.1
Library home page: https://plugins.svn.wordpress.org/uploadcare
Vulnerable Source Files (1)
/vendor/symfony/dom-crawler/Crawler.php
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-45071
Vulnerable Library - uploadcare3.0.1
Library home page: https://plugins.svn.wordpress.org/uploadcare
Found in base branch: main
Vulnerable Source Files (1)
/vendor/symfony/dom-crawler/Crawler.php
Vulnerability Details
Description "symfony/dom-crawler" provides the "Crawler" class for navigating HTML/XML documents with CSS/XPath selectors; "symfony/browser-kit"'s "HttpBrowser" uses it to parse fetched pages. "Crawler::addXmlContent()" sets "DOMDocument::$validateOnParse = true" before calling "loadXML()". Setting "validateOnParse" re-enables libxml's DTD subset processing, including external entity resolution, even though "LIBXML_NONET" is passed. "LIBXML_NONET" blocks network fetches but not "file://" entities. An attacker-supplied XML document with a "SYSTEM "file:///etc/passwd"" entity is therefore expanded. Resolution The "Crawler::addXmlContent" method does not set the "validateOnParse" flag anymore. The patch for this issue is available "here" (symfony/symfony@eea5fd7) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-10
URL: CVE-2026-45071
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v7.4.12
Step up your Open Source Security Game with Mend here
Library home page: https://plugins.svn.wordpress.org/uploadcare
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - uploadcare3.0.1
Library home page: https://plugins.svn.wordpress.org/uploadcare
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
Description "symfony/dom-crawler" provides the "Crawler" class for navigating HTML/XML documents with CSS/XPath selectors; "symfony/browser-kit"'s "HttpBrowser" uses it to parse fetched pages. "Crawler::addXmlContent()" sets "DOMDocument::$validateOnParse = true" before calling "loadXML()". Setting "validateOnParse" re-enables libxml's DTD subset processing, including external entity resolution, even though "LIBXML_NONET" is passed. "LIBXML_NONET" blocks network fetches but not "file://" entities. An attacker-supplied XML document with a "SYSTEM "file:///etc/passwd"" entity is therefore expanded. Resolution The "Crawler::addXmlContent" method does not set the "validateOnParse" flag anymore. The patch for this issue is available "here" (symfony/symfony@eea5fd7) for branch 5.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Publish Date: 2026-06-10
URL: CVE-2026-45071
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/symfony/symfony.git - v5.4.52,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v7.4.12
Step up your Open Source Security Game with Mend here