CVE-2026-45072
Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
Description
### Description Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom `file_excerpt` filter. This filter renders PHP files via `highlight_string()` (which escapes HTML), but renders **non-PHP files** by splitting on `\n` and interpolating each line directly into `<code>{$line}</code>` with no escaping. An attacker who can write arbitrary bytes into any file under the project root (including e.g. `var/log/dev.log`), achieves **stored XSS** against any developer who later opens that file in the profiler. ### Resolution The `file_excerpt` filter now properly escapes each line of non-PHP files using `htmlspecialchars()` before concatenating them. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb) for branch 6.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
How to fix CVE-2026-45072
To remediate CVE-2026-45072, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 6.4.40 or later
- —upgrade to 6.4.40 or later
- —upgrade to 7.4.12 or later
Is CVE-2026-45072 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45072.
Affected packages (4)
- from 0
- >= 6.4.24, < 6.4.40
- >= 6.4.24, < 6.4.40
- >= 7.2.9, < 7.4.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U |