Cross-Site Scripting Vulnerability in Symfony UX for JavaScript Ecosystem
CVE-2026-49210

2.3LOW

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49210?

The Symfony UX JavaScript ecosystem contains a vulnerability that allows an attacker to inject arbitrary HTML, including malicious tags, via unvalidated client-controlled input in the LiveComponent framework. This occurs when the children[id].tag value is embedded directly into HTML output without proper escaping or validation. If exploited, this could lead to a range of attacks, including data theft or session hijacking. The issue has been addressed in versions 2.36.0 and 3.1.0, requiring all users of the affected versions to update their installations promptly.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux >= 2.8.0, < 2.36.0 < 2.8.0, 2.36.0

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.