Cross-Site Scripting Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-55877

6.1MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55877?

A vulnerability exists in the Symfony UX JavaScript ecosystem where the ux_icon() Twig function allows for the inline execution of unsanitized SVG files or Iconify JSON body responses. Specifically, this occurs due to the marking of the function as safe for HTML output despite potential threats from nested script elements, event handlers, and unsafe URL schemes. This issue affects versions 2.17.0 through 2.36.1 and 3.0.0 through 3.2.0, which are now addressed in subsequent releases.

Affected Version(s)

ux >= 2.17.0, < 2.36.1 < 2.17.0, 2.36.1

ux >= 3.0.0, < 3.2.0 < 3.0.0, 3.2.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.