Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Symfony
Symfony ux |
|
| Vendors & Products |
Symfony
Symfony ux |
Fri, 17 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0. | |
| Title | Symfony UX: XSS in symfony/ux-live-component via attacker-controlled child component tag | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-17T16:52:59.836Z
Reserved: 2026-05-28T03:42:34.340Z
Link: CVE-2026-49210
Updated: 2026-07-17T16:52:54.273Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T17:45:04Z