Cross-Site Scripting Vulnerability in Symfony UX for JavaScript Ecosystem
CVE-2026-49210
2.3LOW
What is CVE-2026-49210?
The Symfony UX JavaScript ecosystem contains a vulnerability that allows an attacker to inject arbitrary HTML, including malicious tags, via unvalidated client-controlled input in the LiveComponent framework. This occurs when the children[id].tag value is embedded directly into HTML output without proper escaping or validation. If exploited, this could lead to a range of attacks, including data theft or session hijacking. The issue has been addressed in versions 2.36.0 and 3.1.0, requiring all users of the affected versions to update their installations promptly.
Affected Version(s)
ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0
ux >= 2.8.0, < 2.36.0 < 2.8.0, 2.36.0
