PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49216 symfony CVE debrief

A medium-severity vulnerability was found in Symfony UX's Stimulus controller, affecting versions from 2.2.0 to 2.36.0 and 3.1.0. The issue allows attacker-controlled markup from user-supplied dropdown values to execute in the browser of any user who opens an autocomplete widget backed by the same data. This could lead to potential security risks if not properly mitigated.

Vendor
symfony
Product
ux
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers and administrators using Symfony UX's Stimulus controller in their applications should be aware of this vulnerability and take necessary actions to mitigate it. They should review and validate user-supplied data in autocomplete widgets and implement Content Security Policy (CSP) to restrict script execution.

Technical summary

The Stimulus controller in symfony/ux-autocomplete renders AJAX response items in _createAutocompleteWithRemoteData() by interpolating the text field into HTML template literals (<div>${item[labelField]}</div>) rather than text. This allows attacker-controlled markup from user-supplied dropdown values to execute in the browser of any user who opens an autocomplete widget backed by the same data. The vulnerability requires user interaction and has a CVSS score of 5.1.

Defensive priority

Medium priority, as the vulnerability requires user interaction and has a CVSS score of 5.1.

Recommended defensive actions

  • Update Symfony UX to version 2.36.0 or 3.1.0
  • Review and validate user-supplied data in autocomplete widgets
  • Implement Content Security Policy (CSP) to restrict script execution
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The vulnerability was reported and fixed by the Symfony UX maintainers. The CVE record was published on 2026-07-17T17:17:16.190Z and last modified on 2026-07-17T18:00:02.913Z. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for validation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:16.190Z and has not been modified since then.