2 matches found
CVE-2026-55877 Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the uxicon function when unsanitized SVG content is inlined from local files or remote Iconify responses. An attacker can execute arbitrary JavaScript in the context of the application by supplying a malicio...