enshrined/svg-sanitize

Packagist4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting enshrined/svg-sanitizepage 1 of 1

CVE-2019-10772MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.13.1
2019-12-11
vulnerable: 0.1.0 ... 0.9.2 (31 versions)
It is possible to bypass enshrined/svg-sanitize before 0.13.1 using the "xlink:href" attribute due to mishandling of the xlink namespace by the sanitizer.
CVE-2019-18857HIGHCVSS 7.5EG 7.5✓ Fixed in 0.12.0
2019-11-11
vulnerable: 0.1.0 ... 0.9.2 (29 versions)
darylldoyle svg-sanitizer before 0.12.0 mishandles script and data values in attributes, as demonstrated by unexpected whitespace such as in the javascript	:alert substring.
CVE-2022-23638MEDIUMCVSS 6.2EG 6.2✓ Fixed in 0.15.0
2022-02-14
vulnerable: 0.1.0 ... 0.9.2 (36 versions)
svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the `svg-sanitizer` library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround ava…
CVE-2025-55166MEDIUMCVSS 5.1EG 0.0✓ Fixed in 0.22.0
2025-08-12
vulnerable: 0.1.0 ... 0.9.2 (47 versions)
savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allow…

Check whether enshrined/svg-sanitize is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for enshrined/svg-sanitize CVEs against the assets you own.

Start Free Scan →