PatchSiren cyber security CVE debrief
CVE-2026-45072 symfony CVE debrief
The CVE record for CVE-2026-45072 was published on 2026-07-14T19:17:06.277Z and has not been modified since then. The NVD entry is currently Analyzed. This CVE is for a stored XSS vulnerability in the development profiler of Symfony, a PHP framework for web and console applications. The vulnerability exists in versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 due to the file_excerpt Twig filter's behavior of escaping PHP files but interpolating lines from non-PHP files directly into <code> elements. This allows an attacker to write a file, such as var/log/dev.log, that can execute XSS when opened in the profiler by a developer. The issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. Developers and administrators using these versions should verify and apply patches to prevent stored XSS attacks.
- Vendor
- symfony
- Product
- Unknown
- CVSS
- LOW 2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-16
Who should care
Developers and administrators using Symfony versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 should verify and apply patches to prevent stored XSS attacks. This includes reviewing and monitoring var/log/dev.log and other log files for suspicious content, and implementing additional security measures for development environments.
Technical summary
Symfony, a PHP framework, has a stored XSS vulnerability in its development profiler. The file_excerpt Twig filter escapes PHP files but interpolates lines from non-PHP files directly into <code> elements. This allows an attacker to write a file, such as var/log/dev.log, that can execute XSS when opened in the profiler by a developer. The vulnerability exists in Symfony versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12. The issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12. Developers and administrators using these versions should verify and apply patches to prevent stored XSS attacks.
Defensive priority
Low priority due to CVSS score of 2 and limited attack surface. However, developers and administrators should still verify and apply patches to prevent stored XSS attacks.
Recommended defensive actions
- Verify Symfony version and apply patches to 6.4.40, 7.4.12, or 8.0.12
- Review and monitor var/log/dev.log and other log files for suspicious content
- Implement additional security measures for development environments
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
Official CVE and NVD records provide details on the vulnerability and patched versions. Limited information available on public exploits or attacks. The development profiler file_excerpt Twig filter in Symfony versions 6.4.24 through 6.4.40, 7.4.12, and 8.0.12 has a stored XSS vulnerability. This issue allows an attacker to write a file, such as var/log/dev.log, that can execute XSS when opened in the profiler by a developer. The CVE record was published on 2026-07-14T19:17:06.277Z and has not been modified since then. The NVD entry is currently Analyzed. Developers and administrators should verify and apply patches to prevent stored XSS attacks.
Official resources
-
CVE-2026-45072 CVE record
CVE.org
-
CVE-2026-45072 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T19:17:06.277Z and has not been modified since then. The NVD entry is currently Analyzed.