Security backport request: CVE-2025-46734 fix not present on 2.6 branch

[vulgraph]

Summary

The fix for CVE-2025-46734 — an XSS issue in the AttributesExtension — appears to be present on the active 2.8 branch but is missing from the 2.6 release branch.

Evidence

• Upstream fix commit: f0d626c ("Merge commit from fork")
• git compare 2.6...f0d626c reports status=ahead, ahead_by=9, behind_by=0 — meaning 2.6 is a strict ancestor lacking the 9 commits introduced by the security fix.
• A title-based cherry-pick scan against 2.6 finds no equivalent commit.
• Distinctive added lines from the upstream patch are absent from src/Extension/Attributes/AttributesExtension.php on 2.6.

Affected files (subset)

• src/Extension/Attributes/AttributesExtension.php
• src/Extension/Attributes/Event/AttributesListener.php
• src/Extension/Attributes/Util/AttributesHelper.php

Question

Is 2.6 still receiving security backports? If so, would the maintainers consider cherry-picking f0d626c (and the surrounding allowlist tightening) onto 2.6? If 2.6 is end-of-life, a note in the README / SECURITY.md would help downstream consumers make an informed decision.

Happy to prepare a backport PR if useful.

---

Reported by vulgraph — automated cross-branch backport gap detection. Apologies if this is already tracked elsewhere; pointers welcome.