Packagist (Composer) package
enshrined/svg-sanitize
pkg:composer/enshrined/svg-sanitize
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-55166 | Med | — | < 0.22.0 | 0.22.0 | Aug 12, 2025 | savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to exte | |
| CVE-2022-23638 | — | < 0.15.0 | 0.15.0 | Feb 14, 2022 | svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the `svg-sanitizer` library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround available. | ||
| CVE-2019-10772 | — | < 0.13.1 | 0.13.1 | Dec 11, 2019 | It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer. | ||
| CVE-2019-18857 | — | < 0.12.0 | 0.12.0 | Nov 11, 2019 | darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript :alert substring. |
- affected < 0.22.0fixed 0.22.0
savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to exte
- CVE-2022-23638Feb 14, 2022affected < 0.15.0fixed 0.15.0
svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the `svg-sanitizer` library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround available.
- CVE-2019-10772Dec 11, 2019affected < 0.13.1fixed 0.13.1
It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer.
- CVE-2019-18857Nov 11, 2019affected < 0.12.0fixed 0.12.0
darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript :alert substring.