CVE-2026-45072: Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
Symfony’s profiler, a development only debug UI, renders source-code excerpts on several pages using Twig’s custom file_excerpt filter. This filter renders PHP files via highlight_string() (which escapes HTML), but renders non-PHP files by splitting on \n and interpolating each line directly into <code>{$line}</code> with no escaping.
An attacker who can write arbitrary bytes into any file under the project root (including e.g. var/log/dev.log), achieves stored XSS against any developer who later opens that file in the profiler.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45072.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/twig-bridge/CVE-2026-45072.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/web-profiler-bundle/CVE-2026-45072.yaml
- github.com/advisories/GHSA-hmr5-2xcr-v8pp
- github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb
- github.com/symfony/symfony/security/advisories/GHSA-hmr5-2xcr-v8pp
- nvd.nist.gov/vuln/detail/CVE-2026-45072
- symfony.com/cve-2026-45072
Code Behaviors & Features
Detect and mitigate CVE-2026-45072 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →