Listen to this Post
How CVE-2026-55877 Works
The vulnerability exists in the `symfony/ux-icons` package, specifically within the `ux_icon()` Twig function. This function is marked with is_safe=['html'], which instructs Twig to output its return value without any escaping. The `Icon::toHtml()` method then inlines the SVG source code directly into the page. Because browsers execute JavaScript found within `
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.