๐Ÿ” CVE Alert

CVE-2026-49216

UNKNOWN 0.0

Symfony UX: XSS in symfony/ux-autocomplete via unescaped AJAX response data

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, the Stimulus controller in symfony/ux-autocomplete renders AJAX response items in _createAutocompleteWithRemoteData() by interpolating the text field into HTML template literals (<div>${item[labelField]}</div>) rather than text, allowing attacker-controlled markup from user-supplied dropdown values to execute in the browser of any user who opens an autocomplete widget backed by the same data. This issue is fixed in versions 2.36.0 and 3.1.0.

CWE CWE-79
Vendor symfony
Product ux
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for symfony ux

Be the first to know when new unknown vulnerabilities affecting symfony ux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / ux
>= 3.0.0, < 3.1.0 < 2.36.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr github.com: https://github.com/symfony/ux/commit/842ae54bc74de389299f975f01aafae272cb0019 github.com: https://github.com/symfony/ux/releases/tag/v2.36.0 github.com: https://github.com/symfony/ux/releases/tag/v3.1.0