Skip to content

Bundled symfony/dom-crawler v5.4.48 has a known HIGH-severity vulnerability (CVE-2026-45071) #587

Description

@RomanZhakhovTR

Vulnerable dependency in BeyondWords 6.0.4 — symfony/dom-crawler v5.4.48

Plugin: BeyondWords – Text-to-Speech, v6.0.4

The bundled symfony/dom-crawler is v5.4.48, which is flagged as CVE-2026-45071 (HIGH) — an XXE / local file disclosure.

The fix is in 5.4.52, and your composer.json already allows it ("symfony/dom-crawler": "^5.4"), so just rebuilding vendor/ (composer update symfony/dom-crawler) is enough.

Since the vulnerable version ships inside the released plugin, we can't fix it on our side without it being overwritten on the next update.

Could you rebuild against symfony/dom-crawler >= 5.4.52 and release a new version? ETA would be appreciated.

Ref: https://symfony.com/blog/cve-2026-45071-xxe-local-file-disclosure-in-domcrawler-addxmlcontent-via-validateonparse-true

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions