AIKIDO-2026-11074
symfony/ux-live-component is vulnerable to Cross Site Scripting (XSS)
54
Medium Risk
This Affects:
symfony/ux-live-componentTL;DR
Symfony UX LiveComponent's ChildComponentPartialRenderer::createHtml() interpolates the $childTag value directly into HTML without escaping or validation. The value comes from the client-supplied children[id].tag field handled by LiveComponentSubscriber and InterceptChildComponentRenderSubscriber, so an attacker who can reach the Live Component endpoint can inject arbitrary HTML, including <script> tags, on any re-render of a component that has a child component. The endpoint is normally protected by an Accept: application/vnd.live-component+html header check, but that gate can be bypassed via relaxed CORS or a same-origin XSS pivot. The fix validates $childTag against a strict HTML tag-name regex and rejects non-matching values.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-live-component is vulnerable to Cross Site Scripting (XSS) in versions 2.8.0 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-live-component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant