2 matches found
CVE-2026-49216 Symfony UX: XSS in symfony/ux-autocomplete via unescaped AJAX response data
Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, the Stimulus controller in symfony/ux-autocomplete renders AJAX response items in createAutocompleteWithRemoteData by interpolating the text field into HTML template literals $itemlabelField rather than text,...
CVE-2026-49216
CVE-2026-49216 (Symfony UX Autocomplete) : The Stimulus controller in symfony/ux-autocomplete renders AJAX response items by interpolating item[labelField] directly into HTML, causing stored XSS when values come from user-supplied content. Affected: 2.2.0 through 2.36.0 and 3.1.0. Impact is that ...