CVE-2026-55877

Name of the Vulnerable Software and Affected Versions Symfony UX Icons (affected versions not specified)

Description The ux icon() Twig function is marked as safe for HTML, which prevents Twig from escaping its output. The Icon::toHtml() function inlines SVG source code directly into the page. Because browsers execute <script> elements and on* event-handler attributes within inline SVGs, unsanitized icons can lead to cross-site scripting. Two paths are affected: the local file path, where Icon::fromFile() fails to remove nested scripts and on* attributes, and the Iconify on-demand path, where the remote JSON body field is used without any sanitization. Potential attack vectors include malicious SVG icon packs from third-party themes or a compromised Iconify endpoint configured via iconify.endpoint.

Recommendations Implement an IconFactory to centralize sanitization for all icon sources before an Icon object is created. The sanitization process must remove script-capable elements such as script, foreignObject, iframe, object, and embed, as well as SMIL animations targeting on*, href, or xlink:href attributes, CDATA sections, processing instructions, all on* attributes, and URL schemes including javascript:, vbscript:, and data:text/html. Any handlers within <style> elements must also be stripped.