logo

Database

Server side cross-site scripting In symfony/symfony

Description

Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering

Description

Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom file_excerpt filter. This filter renders PHP files via highlight_string() (which escapes HTML), but renders non-PHP files by splitting on \n and interpolating each line directly into <code>{$line}</code> with no escaping.

An attacker who can write arbitrary bytes into any file under the project root (including e.g. var/log/dev.log), achieves stored XSS against any developer who later opens that file in the profiler.

Resolution

The file_excerpt filter now properly escapes each line of non-PHP files using htmlspecialchars() before concatenating them.

The patch for this issue is available here for branch 6.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-450722. NVD-2026-450723. OSV-2026-450724. GHSA-hmr5-2xcr-v8pp5. GCVE-2026-45072

References

1. https://github.com/symfony/symfony/security/advisories/GHSA-hmr5-2xcr-v8pp2. https://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb3. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45072.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/twig-bridge/CVE-2026-45072.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/web-profiler-bundle/CVE-2026-45072.yaml6. https://symfony.com/cve-2026-45072

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.