JavaScript Vulnerability in Symfony UX Autocomplete Functionality
CVE-2026-49216

5.1MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49216?

The Symfony UX library is impacted by a Cross-Site Scripting vulnerability due to improper handling of user-supplied dropdown values in the Stimulus controller. When rendering AJAX response items, the text field is interpolated into HTML template literals, allowing attacker-controlled markup to execute in the browser of any user interacting with the autocomplete widget. This vulnerability has been addressed in version 2.36.0 and 3.1.0, which provide enhanced security measures against such attacks.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux < 2.36.0 < 2.36.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.