Stored XSS Vulnerability in Symfony PHP Framework
CVE-2026-45072

2LOW

Key Information:

Vendor

Symfony

Vendor
CVE Published:
14 July 2026

What is CVE-2026-45072?

A stored XSS vulnerability exists in Symfony PHP framework versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 due to improper handling of the Twig filter in the development profiler. The filter escapes PHP files using highlight_string(), but non-PHP files are interpolated directly into elements. This inadequacy allows an attacker to write a malicious file that, when opened in the profiler, can lead to the execution of scripts in the context of the developer's session, compromising user data and application integrity. The issue is resolved in version 6.4.40 and above, prompting users to upgrade to safeguard their applications.

Affected Version(s)

symfony >= 6.4.24, < 6.4.40 < 6.4.24, 6.4.40

symfony >= 7.2.9, < 7.4.12 < 7.2.9, 7.4.12

symfony >= 8.0.0-BETA1, < 8.0.12 < 8.0.0-BETA1, 8.0.12

References

CVSS V4

Score:
2
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.