Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-6v8j-33hc-mv84 | symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses |
Fri, 10 Jul 2026 10:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Symfony
Symfony ux |
|
| Vendors & Products |
Symfony
Symfony ux |
Thu, 09 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0. | |
| Title | Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-09T14:40:25.026Z
Reserved: 2026-06-17T16:59:42.759Z
Link: CVE-2026-55877
Updated: 2026-07-09T14:21:01.646Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T05:45:03Z
Github GHSA