Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-6v8j-33hc-mv84 | symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 08 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux_icon() Twig function is marked is_safe=['html'] and Icon::toHtml() inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested script elements, on* event handlers, or dangerous URL schemes to execute cross-site scripting. This issue is fixed in versions 2.36.1 and 3.2.0. | |
| Title | Symfony UX: XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T21:32:37.407Z
Reserved: 2026-06-17T16:59:42.759Z
Link: CVE-2026-55877
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
Github GHSA