14 matches found
CVE-2026-55877
The CVE-2026-55877 entry covers an XSS vulnerability in Symfony UX icons. From 2.17.0–2.36.0 and 3.0.0–3.1.9 (before 3.2.0), the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source, allowing unsanitized local SVGs or Iconify on-demand responses to contain nest...
CVE-2026-55877 Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the uxicon function when unsanitized SVG content is inlined from local files or remote Iconify responses. An attacker can execute arbitrary JavaScript in the context of the application by supplying a malicio...
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...
symfony/ux-icons XSS via unsanitized SVG content in local files and Iconify on-demand responses
Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
EUVD-2026-18568
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
CVE-2026-35508
Shynet before 0.14.0 allows XSS in urldisplay and iconify template filters,...
shynet 跨站脚本漏洞
Shynet is a self-hosted website analysis tool developed by R. Miles McCain. Versions of Shynet prior to 0.14.0 contained a cross-site scripting vulnerability, which originated from the urldisplay and iconify template filters having cross-site scripts...
PT-2026-29971
Name of the Vulnerable Software and Affected Versions Shynet versions prior to 0.14.0 Description The software contains a cross-site scripting XSS issue in the 'urldisplay' and 'iconify' template filters. Recommendations Update to version 0.14.0 or later...