Lucene search
+L

14 matches found

cve
cve
added 2026/07/08 9:32 p.m.28 views

CVE-2026-55877

The CVE-2026-55877 entry covers an XSS vulnerability in Symfony UX icons. From 2.17.0–2.36.0 and 3.0.0–3.1.9 (before 3.2.0), the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source, allowing unsanitized local SVGs or Iconify on-demand responses to contain nest...

6.1CVSS5.6AI score0.00194EPSS
Exploits0References4
osv
osv
added 2026/07/08 9:32 p.m.3 views

CVE-2026-55877 Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses

Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...

6.1CVSS5.9AI score0.00194EPSS
Exploits0References6
snyk
snyk
added 2026/06/19 9:42 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the uxicon function when unsanitized SVG content is inlined from local files or remote Iconify responses. An attacker can execute arbitrary JavaScript in the context of the application by supplying a malicio...

6.1CVSS6AI score0.00194EPSS
Exploits0References2
github
github
added 2026/06/19 9:42 p.m.11 views

symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

6.1CVSS6AI score0.00194EPSS
Exploits0References3Affected Software1
friendsofphp
friendsofphp
added 2026/06/19 7:21 a.m.9 views

symfony/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

6.1CVSS6AI score0.00194EPSS
Exploits0Affected Software1
redhatcve
redhatcve
added 2026/04/04 4:59 a.m.8 views

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

6.1CVSS5.9AI score0.00153EPSS
Exploits0References1
euvd
euvd
added 2026/04/03 3:31 a.m.6 views

EUVD-2026-18568

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References3
nvd
nvd
added 2026/04/03 2:16 a.m.8 views

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

6.1CVSS0.00153EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/04/03 1:13 a.m.2 views

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/04/03 1:13 a.m.3 views

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References3
cvelist
cvelist
added 2026/04/03 1:13 a.m.17 views

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

5.4CVSS0.00153EPSS
Exploits0References2
osv
osv
added 2026/04/03 1:13 a.m.3 views

CVE-2026-35508

Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References4
cnnvd
cnnvd
added 2026/04/03 12:0 a.m.14 views

shynet 跨站脚本漏洞

Shynet is a self-hosted website analysis tool developed by R. Miles McCain. Versions of Shynet prior to 0.14.0 contained a cross-site scripting vulnerability, which originated from the urldisplay and iconify template filters having cross-site scripts...

6.1CVSS5.7AI score0.00153EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/04/03 12:0 a.m.6 views

PT-2026-29971

Name of the Vulnerable Software and Affected Versions Shynet versions prior to 0.14.0 Description The software contains a cross-site scripting XSS issue in the 'urldisplay' and 'iconify' template filters. Recommendations Update to version 0.14.0 or later...

6.1CVSS4.8AI score0.00153EPSS
Exploits0References6
Rows per page
Query Builder