symfony (8.1.0+dfsg-1) experimental; urgency=medium
[ Fabien Potencier ]
* Bump version to 8.1
* [Tui] Add the component
* Update VERSION for 8.1.0
[ Imad ZAIRIG ]
* add Prelude Notifier for SMS
[ Alexandre Daubois ]
* [Routing] Fix regex alternation anchoring in UrlGenerator requirement
validation [CVE-2026-45065]
* [DomCrawler] Fix XXE in addXmlContent() by not enabling `validateOnParse`
[CVE-2026-45071]
* [HtmlSanitizer] Fix allowLinkHosts/allowMediaHosts bypass via URL parser
differentials and misclassification [CVE-2026-45066]
* [Security] Add missing claims in `OidcTokenHandler` [CVE-2026-45069]
* [Security] Anchor emailAddress regex to RDN boundary in X509Authenticator
[CVE-2026-45063]
* [Mime] Reject email addresses containing line breaks in Address
[CVE-2026-45067]
* [Mailer] Add end-of-options separator before recipients in
SendmailTransport; reject addresses starting with a dash [CVE-2026-45068]
* [JsonPath] Cap regex backtracking in match()/search() to prevent ReDoS
[CVE-2026-45756]
* [Mailer][Mailjet] Reject webhooks with missing or invalid Basic credentials
[CVE-2026-45754]
* [Mailer][Mailtrap] Reject webhooks with missing or invalid HMAC signature
[CVE-2026-45755]
[ Nicolas Grekas ]
* [HtmlSanitizer] Reject BiDi override characters and percent-encode spaces
in URLs [CVE-2026-45064]
* [MonologBridge] Bind server:log to localhost by default [CVE-2026-45077]
* [Security][HttpKernel] Fix HEAD requests bypassing methods filter in
`IsGranted`, `IsCsrfTokenValid` and `IsSignatureValid` attributes
[CVE-2026-45075]
* [Yaml] Bound recursion depth in the parser [CVE-2026-45133]
* [TwigBridge] Fix XSS issue in CodeExtension::fileExcerpt() [CVE-2026-45072]
* [Cache] Validate the prefix given to AbstractAdapter::clear()
[CVE-2026-45073]
* [Yaml] Bound collection-alias resolution in the parser [CVE-2026-45304]
* [Yaml] Harden the Parser::cleanup() regexes against catastrophic
backtracking [CVE-2026-45305]
* [Security] Require configuring trusted hosts when using CAS authentication
[CVE-2026-45074]
* [Notifier][Lox24] Reject webhooks with missing or invalid token
[CVE-2026-45754]
* [Notifier][Twilio] Reject webhooks with missing or invalid HMAC signature
[CVE-2026-47212]
* [HtmlSanitizer] Sanitize URLs in action, formaction, poster and cite
attributes [CVE-2026-45753]
* [Runtime] Fix CVE-2024-50340 patch bypass by gating argv on
$_SERVER['QUERY_STRING'] [CVE-2026-46626]
* [HttpClient] Block IPv6 transition forms in NoPrivateNetworkHttpClient
[CVE-2026-48736]
* [HttpFoundation] Block IPv6 transition forms in IpUtils::PRIVATE_SUBNETS
[CVE-2026-48736]
* [Mailer] Pin Mailomat webhook signature algorithm to SHA-256
[CVE-2026-48747]
* [HtmlSanitizer] Reject percent-encoded BiDi marks and Unicode whitespace
in URLs [CVE-2026-48760]
* [HtmlSanitizer] Sanitize URL attributes on