symfony/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

EUVD-2026-18568

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

PT-2026-29971

Name of the Vulnerable Software and Affected Versions Shynet versions prior to 0.14.0 Description The software contains a cross-site scripting XSS issue in the 'urldisplay' and 'iconify' template filters. Recommendations Update to version 0.14.0 or later...

shynet 跨站脚本漏洞

Shynet is a self-hosted website analysis tool developed by R. Miles McCain. Versions of Shynet prior to 0.14.0 contained a cross-site scripting vulnerability, which originated from the urldisplay and iconify template filters having cross-site scripts...