CVE-2026-49210 in Symfony
Summary
by MITRE • 07/17/2026
Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/17/2026
The vulnerability identified in Symfony UX LiveComponent affects versions ranging from 2.8.0 through 2.36.0 and 3.1.0, representing a critical server-side template injection flaw that enables arbitrary HTML execution within web applications utilizing this framework component. This issue stems from the ChildComponentPartialRenderer::createHtml() method which directly incorporates user-supplied data without proper sanitization or validation mechanisms. The vulnerability specifically targets the children[id].tag value obtained from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber components, where client-controlled input is interpolated into HTML document structure without adequate escaping protocols.
The technical exploitation of this vulnerability occurs when a live component contains child components that are rendered dynamically within the application interface. When the system processes these child components during re-render operations, it accepts the tag names specified by client-side inputs and directly incorporates them into the generated HTML output. This direct interpolation creates an environment where malicious actors can inject arbitrary HTML elements including script tags, iframe objects, or other potentially harmful markup constructs that can execute within the victim's browser context. The vulnerability essentially allows for cross-site scripting (XSS) attacks to be initiated through controlled manipulation of component tag names.
The operational impact of this vulnerability extends beyond simple XSS exploitation to encompass potential privilege escalation scenarios and comprehensive application compromise. Attackers can leverage this flaw to inject malicious JavaScript code that executes within the context of authenticated users, potentially enabling session hijacking, data exfiltration, or unauthorized administrative actions depending on user privileges. The vulnerability affects all live components that contain child components, making it particularly dangerous as it can be triggered through normal application workflows without requiring special conditions. This issue represents a CWE-79 (Cross-site Scripting) vulnerability classified under the broader category of insecure data handling and insufficient input validation.
Mitigation strategies for this vulnerability require immediate implementation of version updates to 2.36.0 or 3.1.0 where the fix has been applied, along with comprehensive security reviews of existing applications that may have been exposed to this issue. Organizations should implement proper input sanitization measures that validate and escape all tag names before HTML generation, ensuring that only predefined safe tag names are permitted in component rendering processes. Additionally, application developers should conduct thorough security testing including penetration testing and code review procedures to identify potential similar vulnerabilities in other parts of their Symfony applications. The fix implemented in the updated versions follows standard security practices for preventing XSS attacks by implementing proper HTML escaping and input validation mechanisms that align with OWASP Top 10 recommendations and ATT&CK framework techniques related to command injection and XSS exploitation.
Security teams should also consider implementing web application firewalls and content security policies as additional defensive measures, while monitoring for potential exploitation attempts in system logs and network traffic. The vulnerability demonstrates the importance of input validation and output escaping in modern web frameworks, particularly when dealing with dynamic component rendering and user-controlled data in web applications that follow MVC architectural patterns. Regular security updates and vulnerability assessments remain critical practices to prevent similar issues from arising in other components of the Symfony ecosystem or related JavaScript frameworks that may exhibit similar interpolation vulnerabilities.