CVE-2026-49216
Received Received - Intake

Cross-Site Scripting in Symfony UX Autocomplete

Vulnerability report for CVE-2026-49216, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, the Stimulus controller in symfony/ux-autocomplete renders AJAX response items in _createAutocompleteWithRemoteData() by interpolating the text field into HTML template literals (<div>${item[labelField]}</div>) rather than text, allowing attacker-controlled markup from user-supplied dropdown values to execute in the browser of any user who opens an autocomplete widget backed by the same data. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
symfony ux-autocomplete From 2.2.0 (inc) to 2.36.0 (exc)
symfony ux-autocomplete 2.36.0
symfony ux-autocomplete From 3.0.0 (inc) to 3.1.0 (exc)
symfony ux-autocomplete From 2.2.0 (inc) to 2.36.0 (inc)
symfony ux-autocomplete 3.1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a stored Cross-Site Scripting (XSS) vulnerability in the Symfony UX Autocomplete component. It occurs because the Stimulus controller renders AJAX response data directly into HTML template literals without proper escaping. Attackers can inject malicious scripts into user-supplied dropdown values, which execute in the browser of any user who interacts with the autocomplete widget.

Detection Guidance

To detect this vulnerability, inspect your Symfony UX Autocomplete component versions. Check if you are running versions between 2.2.0 and 2.36.0 or 3.0.0 and 3.1.0. Use commands like 'composer show symfony/ux-autocomplete' to verify installed versions. Also, review AJAX response handling in autocomplete widgets for unsanitized user input.

Impact Analysis

An attacker could steal user sessions, perform actions on behalf of users, or deface the website. Users interacting with compromised autocomplete widgets may have their data exposed or their browsers compromised by executing malicious scripts.

Compliance Impact

This vulnerability could lead to unauthorized data access or modification, violating GDPR's integrity and confidentiality principles. For HIPAA, it may expose protected health information (PHI) if user sessions are compromised. Organizations must address this to maintain compliance with data protection regulations.

Mitigation Strategies

Upgrade symfony/ux-autocomplete to versions 2.36.0 or 3.1.0 or later. If you must render HTML in responses, set options_as_html to true explicitly. Review and sanitize all user-supplied data in AJAX endpoints to prevent XSS. Monitor for unusual activity in autocomplete widgets.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart