darylldoyle/svg-sanitizer

darylldoyle/svg-sanitizer

Releases48

Frequency2 months 2 weeks

Last Release 10 months ago

Stars543

A PHP SVG/XML Sanitizer

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-55166 ↗	Aug 12, 2025Tuesday, 12 August 2025, 17:15	—	—
savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0.
CVE-2023-28426 ↗	Mar 20, 2023Monday, 20 March 2023, 14:15	—	—
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: GHSA-xrqq-wqh4-5hg2. Reason: Further investigation showed that this CVE was assigned in error. Notes: See https://github.com/darylldoyle/svg-sanitizer/issues/88 for a technical discussion.
CVE-2022-23638 ↗	Feb 14, 2022Monday, 14 February 2022, 21:15	6.2 MEDIUM	4.3 MEDIUM
svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the `svg-sanitizer` library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround available.
CVE-2019-18857 ↗	Nov 11, 2019Monday, 11 November 2019, 15:15	7.5 HIGH	5 MEDIUM
darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript :alert substring.