Lucene search
K

23 matches found

NVD
NVD
added yesterday5 views

CVE-2026-55878

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative accepts paths like ../../../etc, a crafted or...

7.8CVSS
Exploits0References4
NVD
NVD
added yesterday6 views

CVE-2026-55877

Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...

6.1CVSS
Exploits0References4
CVE
CVE
added yesterday22 views

CVE-2026-55877

The CVE-2026-55877 entry covers an XSS vulnerability in Symfony UX icons. From 2.17.0–2.36.0 and 3.0.0–3.1.9 (before 3.2.0), the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source, allowing unsanitized local SVGs or Iconify on-demand responses to contain nest...

6.1CVSS5.6AI score
Exploits0References4
Cvelist
Cvelist
added yesterday33 views

CVE-2026-55877 Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses

Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...

6.1CVSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-55878

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative accepts paths like ../../../etc, a crafted or...

7.8CVSS6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.9 views

symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

6.1CVSS6AI score
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/05/29 10:41 a.m.4 views

Improper Verification of Cryptographic Signature

Overview symfony/ux-live-component is a Live components for Symfony Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via insufficient context binding in HMAC protection for Live Component properties. An attacker can modify read-only properties o...

9.1CVSS5.4AI score
Exploits0References2
Friends Of PHP
Friends Of PHP
added 2026/05/29 8:0 a.m.16 views

symfony/ux-live-component Denial of service via unbounded batch action requests

Description Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry event subscribers, validators, Doctrine, rendering. The array size is never bounded, so an authenticated client can...

5.8AI score
Exploits0Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2025-15795

Malicious code in bioql PyPI...

6.1CVSS6.3AI score0.00212EPSS
Exploits0References7
Veracode
Veracode
added 2025/05/22 7:9 a.m.11 views

Cross-site Scripting (XSS)

symfony/ux-live-component and symfony/ux-twig-component is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper output escaping due to unescaped rendering of ComponentAttributes values, which may contain unsafe user input leading to HTML attribute injection...

6.1CVSS5.9AI score0.00212EPSS
Exploits0References10Affected Software2
RedhatCVE
RedhatCVE
added 2025/05/21 8:23 p.m.9 views

CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

6.1CVSS6.1AI score0.00212EPSS
Exploits0
OSV
OSV
added 2025/05/19 10:24 p.m.7 views

GHSA-5J3W-5PCR-F8HG Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact Rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these values are unsafe e.g. contain user input, this can lead to HTML attribute injection and XSS vulnerabilities. Patche...

6.1CVSS6.2AI score0.00212EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2025/05/19 10:24 p.m.23 views

Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact Rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these values are unsafe e.g. contain user input, this can lead to HTML attribute injection and XSS vulnerabilities. Patche...

6.1CVSS6.1AI score0.00212EPSS
Exploits0References10Affected Software2
NVD
NVD
added 2025/05/19 8:15 p.m.20 views

CVE-2025-47946

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

6.1CVSS0.00212EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/05/19 7:25 p.m.12 views

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

6.1CVSS6.2AI score0.00212EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/05/19 7:25 p.m.23 views

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

6.1CVSS0.00212EPSS
Exploits0References2
OSV
OSV
added 2025/05/19 7:25 p.m.10 views

CVE-2025-47946 symfony/ux-live-component and symfony/ux-twig-component vulnerable to unsanitized HTML attribute injection via ComponentAttributes

Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these...

6.1CVSS6.5AI score0.00212EPSS
Exploits0References4
CVE
CVE
added 2025/05/19 7:25 p.m.50 views

CVE-2025-47946

Summary: CVE-2025-47946 affects Symfony UX components. Prior to 2.25.1, rendering {{ attributes }} or using methods returning a ComponentAttributes instance can output unescaped attribute values, risking HTML attribute injection and XSS. The vulnerability affects the Symfony UX Twig component and...

6.1CVSS6.2AI score0.00212EPSS
Exploits0References2
Friends Of PHP
Friends Of PHP
added 2025/05/19 12:5 p.m.15 views

symfony/ux-twig-component Unsanitized HTML attribute injection via ComponentAttributes

More info at https://symfony.com/blog/symfony-ux-cve-2025-47946-unsanitized-html-attribute-injection-via-componentattributes...

6.1CVSS7AI score0.00212EPSS
Exploits0Affected Software1
Cvelist
Cvelist
added 2023/09/11 7:21 p.m.49 views

CVE-2023-41336 Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2...

6.5CVSS6.6AI score0.00523EPSS
Exploits0References4
Rows per page
Query Builder