Stored XSS Vulnerability in Symfony PHP Framework
CVE-2026-45072
What is CVE-2026-45072?
A stored XSS vulnerability exists in Symfony PHP framework versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 due to improper handling of the Twig filter in the development profiler. The filter escapes PHP files using highlight_string(), but non-PHP files are interpolated directly into elements. This inadequacy allows an attacker to write a malicious file that, when opened in the profiler, can lead to the execution of scripts in the context of the developer's session, compromising user data and application integrity. The issue is resolved in version 6.4.40 and above, prompting users to upgrade to safeguard their applications.
Affected Version(s)
symfony >= 6.4.24, < 6.4.40 < 6.4.24, 6.4.40
symfony >= 7.2.9, < 7.4.12 < 7.2.9, 7.4.12
symfony >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12
