CVE-2026-49216

Name of the Vulnerable Software and Affected Versions symfony/ux-autocomplete versions prior to 2.x symfony/ux-autocomplete versions prior to 3.x

Description The Stimulus controller in the software renders AJAX response items into a dropdown by interpolating the text field directly into HTML template literals within the createAutocompleteWithRemoteData() function. Because the value is parsed as HTML instead of text, any markup in the AJAX response is executed by the browser. This allows an attacker to craft strings using user-supplied content to trigger stored Cross-Site Scripting (XSS), which is a vulnerability where malicious scripts are permanently stored on the target server and executed in the browsers of other users.

Recommendations Update to the patched version for branch 2.x. Update to the patched version for branch 3.x.