PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49210 symfony CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:15.650Z and has not been modified since then. This vulnerability affects Symfony UX versions between 2.8.0 and 2.36.0 or 3.1.0, allowing client-controlled input to be directly interpolated into HTML as a tag name without proper escaping or validation. This could lead to arbitrary HTML injection, including script tags, during Live Component re-renders with child components. The issue is fixed in versions 2.36.0 and 3.1.0.

Vendor
symfony
Product
ux
CVSS
LOW 2.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers and administrators using Symfony UX versions between 2.8.0 and 2.36.0 or 3.1.0 should verify and apply patches to prevent potential XSS attacks. Additionally, security teams and vulnerability management teams should review the vulnerability and assess their exposure to ensure timely mitigation.

Technical summary

The Symfony UX LiveComponentSubscriber and InterceptChildComponentRenderSubscriber allow client-controlled input to be directly interpolated into HTML as a tag name without proper escaping or validation. This could lead to arbitrary HTML injection, including script tags, during Live Component re-renders with child components. The vulnerability is addressed in Symfony UX versions 2.36.0 and 3.1.0. Developers should verify and apply patches to prevent potential XSS attacks.

Defensive priority

Apply patches or upgrade to Symfony UX version 2.36.0 or 3.1.0 to address the vulnerability.

Recommended defensive actions

  • Apply patches or upgrade to Symfony UX version 2.36.0 or 3.1.0.
  • Verify and validate user-controlled input in LiveComponentSubscriber and InterceptChildComponentRenderSubscriber.
  • Implement additional security measures to monitor and restrict HTML injection attempts.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD entry provide limited information about the vulnerability. Further investigation and verification are necessary to fully understand the impact and scope of the issue. Affected product deployments should be identified and verified for potential exposure. The lack of detailed information may hinder defenders' ability to assess and mitigate the vulnerability effectively.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:15.650Z and has not been modified since then.