v6.4.40

fabpot released this 20 May 09:02

· 82 commits to 8.2 since this release

2e02fc9

Changelog (v6.4.35...v6.4.40)

security #cve-2026-45753 Sanitize URLs in action, formaction, poster and cite attributes (@nicolas-grekas)
security #cve-2026-45064 Reject BiDi override characters and percent-encode spaces in URLs (@nicolas-grekas)
security #cve-2026-45066 Fix allowLinkHosts/allowMediaHosts bypass via URL parser differentials and <area> misclassification (@alexandre-daubois)

Contributors

nicolas-grekas and alexandre-daubois

Assets 2