CVE-2026-45072

Name of the Vulnerable Software and Affected Versions Symfony (affected versions not specified)

Description The profiler, a debug UI used only during development, renders source-code excerpts using the file excerpt filter. While PHP files are rendered via highlight string() to escape HTML, non-PHP files are processed by splitting content on and interpolating lines directly into <code> tags without escaping. This allows an attacker who can write arbitrary bytes into any file under the project root, such as var/log/dev.log, to achieve stored Cross-Site Scripting (XSS) against developers who view that file in the profiler.

Recommendations Update to the version containing the patch for branch 6.4, which ensures the file excerpt filter uses htmlspecialchars() to escape lines of non-PHP files.