CVE-2026-49210
Received Received - Intake

XSS in Symfony UX LiveComponent via Unsanitized Tag Name

Vulnerability report for CVE-2026-49210, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
symfony ux-live-component From 2.8.0 (inc) to 2.36.0 (inc)
symfony ux-live-component 3.1.0
symfony ux-live-component 2.36.0
symfony ux From 2.8.0 (inc) to 2.36.0 (inc)
symfony ux to 3.1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Cross-Site Scripting (XSS) vulnerability in the Symfony UX Live Component package. It occurs because the ChildComponentPartialRenderer::createHtml() function directly inserts a client-controlled tag name into HTML output without proper escaping or validation. Attackers can inject arbitrary HTML, including malicious script tags, during Live Component re-renders if they can access the Live Component endpoint.

Detection Guidance

Check Symfony UX LiveComponent versions with: composer show symfony/ux-live-component. If version is below 2.36.0 or 3.1.0, the system is vulnerable. Inspect network traffic for Live Component endpoints receiving client-controlled tag names in JSON payloads.

Impact Analysis

An attacker could exploit this to inject malicious scripts into web pages viewed by users. This could lead to theft of session cookies, account takeover, or defacement of the website. The impact depends on the application's context and user privileges.

Compliance Impact

This vulnerability could lead to unauthorized data access or modification, violating GDPR's integrity and confidentiality principles. For HIPAA, it may compromise protected health information integrity. Both standards require protection against unauthorized code execution and data breaches.

Mitigation Strategies

Upgrade Symfony UX LiveComponent to version 2.36.0 or 3.1.0 or later. Ensure CORS restrictions are enforced to prevent cross-origin requests. Validate all client-controlled inputs in Live Component endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart