AIKIDO-2026-11055
symfony/ux-autocomplete is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
This Affects:
symfony/ux-autocompleteTL;DR
The Symfony UX Autocomplete Stimulus controller renders the text field from AJAX endpoint responses directly into the dropdown using template literals in _createAutocompleteWithRemoteData(), without HTML escaping. Any attacker-influenced data that reaches an entity rendered by the autocomplete can inject HTML and JavaScript that executes in the browser of users viewing the field. The fix routes the value through TomSelect's escape() helper by default and introduces an explicit options_as_html opt-in for endpoints that legitimately return HTML.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-autocomplete is vulnerable to Cross-Site Scripting (XSS) in versions 0.0.1 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-autocomplete library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant