Vulnerable dependency in BeyondWords 6.0.4 — symfony/dom-crawler v5.4.48
Plugin: BeyondWords – Text-to-Speech, v6.0.4
The bundled symfony/dom-crawler is v5.4.48, which is flagged as CVE-2026-45071 (HIGH) — an XXE / local file disclosure.
The fix is in 5.4.52, and your composer.json already allows it ("symfony/dom-crawler": "^5.4"), so just rebuilding vendor/ (composer update symfony/dom-crawler) is enough.
Since the vulnerable version ships inside the released plugin, we can't fix it on our side without it being overwritten on the next update.
Could you rebuild against symfony/dom-crawler >= 5.4.52 and release a new version? ETA would be appreciated.
Ref: https://symfony.com/blog/cve-2026-45071-xxe-local-file-disclosure-in-domcrawler-addxmlcontent-via-validateonparse-true
Vulnerable dependency in BeyondWords 6.0.4 —
symfony/dom-crawlerv5.4.48Plugin: BeyondWords – Text-to-Speech, v6.0.4
The bundled
symfony/dom-crawleris v5.4.48, which is flagged as CVE-2026-45071 (HIGH) — an XXE / local file disclosure.The fix is in 5.4.52, and your
composer.jsonalready allows it ("symfony/dom-crawler": "^5.4"), so just rebuildingvendor/(composer update symfony/dom-crawler) is enough.Since the vulnerable version ships inside the released plugin, we can't fix it on our side without it being overwritten on the next update.
Could you rebuild against
symfony/dom-crawler >= 5.4.52and release a new version? ETA would be appreciated.Ref: https://symfony.com/blog/cve-2026-45071-xxe-local-file-disclosure-in-domcrawler-addxmlcontent-via-validateonparse-true