๐Ÿ” CVE Alert

CVE-2026-49210

UNKNOWN 0.0

Symfony UX: XSS in symfony/ux-live-component via attacker-controlled child component tag

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0.

CWE CWE-79
Vendor symfony
Product ux
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for symfony ux

Be the first to know when new unknown vulnerabilities affecting symfony ux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / ux
>= 3.0.0, < 3.1.0 >= 2.8.0, < 2.36.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/ux/security/advisories/GHSA-38x5-rcv4-xf7x github.com: https://github.com/symfony/ux/commit/fbc5e9a1bda7e4556be21bb1d970f382760ed9a9 github.com: https://github.com/symfony/ux/releases/tag/v2.36.0 github.com: https://github.com/symfony/ux/releases/tag/v3.1.0