CVE-2026-49210 in Symfonyinfo

Summary

by MITRE • 07/17/2026

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability identified in Symfony UX LiveComponent affects versions ranging from 2.8.0 through 2.36.0 and 3.1.0, representing a critical server-side template injection flaw that enables arbitrary HTML execution within web applications utilizing this framework component. This issue stems from the ChildComponentPartialRenderer::createHtml() method which directly incorporates user-supplied data without proper sanitization or validation mechanisms. The vulnerability specifically targets the children[id].tag value obtained from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber components, where client-controlled input is interpolated into HTML document structure without adequate escaping protocols.

The technical exploitation of this vulnerability occurs when a live component contains child components that are rendered dynamically within the application interface. When the system processes these child components during re-render operations, it accepts the tag names specified by client-side inputs and directly incorporates them into the generated HTML output. This direct interpolation creates an environment where malicious actors can inject arbitrary HTML elements including script tags, iframe objects, or other potentially harmful markup constructs that can execute within the victim's browser context. The vulnerability essentially allows for cross-site scripting (XSS) attacks to be initiated through controlled manipulation of component tag names.

The operational impact of this vulnerability extends beyond simple XSS exploitation to encompass potential privilege escalation scenarios and comprehensive application compromise. Attackers can leverage this flaw to inject malicious JavaScript code that executes within the context of authenticated users, potentially enabling session hijacking, data exfiltration, or unauthorized administrative actions depending on user privileges. The vulnerability affects all live components that contain child components, making it particularly dangerous as it can be triggered through normal application workflows without requiring special conditions. This issue represents a CWE-79 (Cross-site Scripting) vulnerability classified under the broader category of insecure data handling and insufficient input validation.

Mitigation strategies for this vulnerability require immediate implementation of version updates to 2.36.0 or 3.1.0 where the fix has been applied, along with comprehensive security reviews of existing applications that may have been exposed to this issue. Organizations should implement proper input sanitization measures that validate and escape all tag names before HTML generation, ensuring that only predefined safe tag names are permitted in component rendering processes. Additionally, application developers should conduct thorough security testing including penetration testing and code review procedures to identify potential similar vulnerabilities in other parts of their Symfony applications. The fix implemented in the updated versions follows standard security practices for preventing XSS attacks by implementing proper HTML escaping and input validation mechanisms that align with OWASP Top 10 recommendations and ATT&CK framework techniques related to command injection and XSS exploitation.

Security teams should also consider implementing web application firewalls and content security policies as additional defensive measures, while monitoring for potential exploitation attempts in system logs and network traffic. The vulnerability demonstrates the importance of input validation and output escaping in modern web frameworks, particularly when dealing with dynamic component rendering and user-controlled data in web applications that follow MVC architectural patterns. Regular security updates and vulnerability assessments remain critical practices to prevent similar issues from arising in other components of the Symfony ecosystem or related JavaScript frameworks that may exhibit similar interpolation vulnerabilities.

Responsible

GitHub M

Reservation

05/28/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!