PatchSiren cyber security CVE debrief
CVE-2026-49216 symfony CVE debrief
A medium-severity vulnerability was found in Symfony UX's Stimulus controller, affecting versions from 2.2.0 to 2.36.0 and 3.1.0. The issue allows attacker-controlled markup from user-supplied dropdown values to execute in the browser of any user who opens an autocomplete widget backed by the same data. This could lead to potential security risks if not properly mitigated.
- Vendor
- symfony
- Product
- ux
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using Symfony UX's Stimulus controller in their applications should be aware of this vulnerability and take necessary actions to mitigate it. They should review and validate user-supplied data in autocomplete widgets and implement Content Security Policy (CSP) to restrict script execution.
Technical summary
The Stimulus controller in symfony/ux-autocomplete renders AJAX response items in _createAutocompleteWithRemoteData() by interpolating the text field into HTML template literals (<div>${item[labelField]}</div>) rather than text. This allows attacker-controlled markup from user-supplied dropdown values to execute in the browser of any user who opens an autocomplete widget backed by the same data. The vulnerability requires user interaction and has a CVSS score of 5.1.
Defensive priority
Medium priority, as the vulnerability requires user interaction and has a CVSS score of 5.1.
Recommended defensive actions
- Update Symfony UX to version 2.36.0 or 3.1.0
- Review and validate user-supplied data in autocomplete widgets
- Implement Content Security Policy (CSP) to restrict script execution
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The vulnerability was reported and fixed by the Symfony UX maintainers. The CVE record was published on 2026-07-17T17:17:16.190Z and last modified on 2026-07-17T18:00:02.913Z. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected deployments and review official advisories for validation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:16.190Z and has not been modified since then.