CVE-2026-49210

Name of the Vulnerable Software and Affected Versions Symfony UX LiveComponent versions prior to 2.x Symfony UX LiveComponent versions prior to 3.x

Description The createHtml() function in SymfonyUXLiveComponentUtilChildComponentPartialRenderer interpolates the $childTag variable directly into the HTML output as a tag name without proper escaping or validation. This variable is derived from client-controlled JSON (children[id].tag) processed by LiveComponentSubscriber and InterceptChildComponentRenderSubscriber. An attacker accessing the Live Component endpoint can inject arbitrary HTML, such as <script> tags, during the re-render of a Live Component containing at least one child component. By default, the endpoint is protected by an Accept: application/vnd.live-component+html header check; however, the issue is exploitable if CORS policies are relaxed to allow this header from untrusted origins or if a same-origin XSS is already present.

Recommendations Update to the patched version of the 2.x branch. Update to the patched version of the 3.x branch.