Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.4.24 until 6.4.40, 7.4.12, and 8.0.12, the development profiler file_excerpt Twig filter escapes PHP files through highlight_string() but interpolates lines from non-PHP files directly into <code> elements, allowing stored XSS against a developer who opens an attacker-written file such as var/log/dev.log in the profiler. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.

Project Subscriptions

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6312-1 symfony security update
Github GHSA Github GHSA GHSA-hmr5-2xcr-v8pp Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 14 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Description Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.4.24 until 6.4.40, 7.4.12, and 8.0.12, the development profiler file_excerpt Twig filter escapes PHP files through highlight_string() but interpolates lines from non-PHP files directly into <code> elements, allowing stored XSS against a developer who opens an attacker-written file such as var/log/dev.log in the profiler. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.
Title Symfony: Stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-14T18:11:07.748Z

Reserved: 2026-05-08T18:45:10.096Z

Link: CVE-2026-45072

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses