PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45072 symfony CVE debrief

The CVE record for CVE-2026-45072 was published on 2026-07-14T19:17:06.277Z and has not been modified since then. The NVD entry is currently Analyzed. This CVE is for a stored XSS vulnerability in the development profiler of Symfony, a PHP framework for web and console applications. The vulnerability exists in versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 due to the file_excerpt Twig filter's behavior of escaping PHP files but interpolating lines from non-PHP files directly into <code> elements. This allows an attacker to write a file, such as var/log/dev.log, that can execute XSS when opened in the profiler by a developer. The issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. Developers and administrators using these versions should verify and apply patches to prevent stored XSS attacks.

Vendor
symfony
Product
Unknown
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-16
Advisory published
2026-07-14
Advisory updated
2026-07-16

Who should care

Developers and administrators using Symfony versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 should verify and apply patches to prevent stored XSS attacks. This includes reviewing and monitoring var/log/dev.log and other log files for suspicious content, and implementing additional security measures for development environments.

Technical summary

Symfony, a PHP framework, has a stored XSS vulnerability in its development profiler. The file_excerpt Twig filter escapes PHP files but interpolates lines from non-PHP files directly into <code> elements. This allows an attacker to write a file, such as var/log/dev.log, that can execute XSS when opened in the profiler by a developer. The vulnerability exists in Symfony versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12. The issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. Developers and administrators using these versions should verify and apply patches to prevent stored XSS attacks.

Defensive priority

Low priority due to CVSS score of 2 and limited attack surface. However, developers and administrators should still verify and apply patches to prevent stored XSS attacks.

Recommended defensive actions

  • Verify Symfony version and apply patches to 6.4.40, 7.4.12, or 8.0.12
  • Review and monitor var/log/dev.log and other log files for suspicious content
  • Implement additional security measures for development environments
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

Official CVE and NVD records provide details on the vulnerability and patched versions. Limited information available on public exploits or attacks. The development profiler file_excerpt Twig filter in Symfony versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 has a stored XSS vulnerability. This issue allows an attacker to write a file, such as var/log/dev.log, that can execute XSS when opened in the profiler by a developer. The CVE record was published on 2026-07-14T19:17:06.277Z and has not been modified since then. The NVD entry is currently Analyzed. Developers and administrators should verify and apply patches to prevent stored XSS attacks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T19:17:06.277Z and has not been modified since then. The NVD entry is currently Analyzed.