CVE-2026-49216: symfony/ux-autocomplete: XSS via unescaped AJAX response data
The Stimulus controller shipped with symfony/ux-autocomplete renders AJAX response items into the dropdown by interpolating the text field directly into HTML template literals (<div>${item[labelField]}</div>) inside _createAutocompleteWithRemoteData(). The value is parsed as HTML rather than text, so any markup contained in the AJAX response is executed by the browser.
When the dropdown values are derived from user-supplied content, an attacker can craft a string that triggers stored XSS in the browser of any other user who later opens a page containing an autocomplete widget backed by the same data.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2026-49216.yaml
- github.com/advisories/GHSA-mwqm-4fw3-cjvr
- github.com/symfony/ux/commit/842ae54bc74de389299f975f01aafae272cb0019
- github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr
- nvd.nist.gov/vuln/detail/CVE-2026-49216
Code Behaviors & Features
Detect and mitigate CVE-2026-49216 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →