JavaScript Vulnerability in Symfony UX Autocomplete Functionality
CVE-2026-49216
5.1MEDIUM
What is CVE-2026-49216?
The Symfony UX library is impacted by a Cross-Site Scripting vulnerability due to improper handling of user-supplied dropdown values in the Stimulus controller. When rendering AJAX response items, the text field is interpolated into HTML template literals, allowing attacker-controlled markup to execute in the browser of any user interacting with the autocomplete widget. This vulnerability has been addressed in version 2.36.0 and 3.1.0, which provide enhanced security measures against such attacks.
Affected Version(s)
ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0
ux < 2.36.0 < 2.36.0
