Cross-Site Scripting Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-55877
6.1MEDIUM
What is CVE-2026-55877?
A vulnerability exists in the Symfony UX JavaScript ecosystem where the ux_icon() Twig function allows for the inline execution of unsanitized SVG files or Iconify JSON body responses. Specifically, this occurs due to the marking of the function as safe for HTML output despite potential threats from nested script elements, event handlers, and unsafe URL schemes. This issue affects versions 2.17.0 through 2.36.1 and 3.0.0 through 3.2.0, which are now addressed in subsequent releases.
Affected Version(s)
ux >= 2.17.0, < 2.36.1 < 2.17.0, 2.36.1
ux >= 3.0.0, < 3.2.0 < 3.0.0, 3.2.0
