### Description `Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml()` interpolates the `$childTag` argument directly into the HTML output as a tag name, without escaping or validation. The value originates from client-controlled JSON (`children[id].tag`) parsed by `LiveComponentSubscriber` and propagated through `InterceptChildComponentRenderSubscriber`, so an attacker who can reach the Live Component endpoint can inject arbitrary HTML, including `<script>` tags, on any re-render of a Live Component that contains at least one child component. In the default configuration, the Live Component endpoint is gated by an `Accept: application/vnd.live-component+html` request-header check that cannot be set cross-origin without a CORS preflight, so the issue is primarily a defense-in-depth gap. It becomes directly exploitable on applications that have relaxed CORS to allow this header from untrusted origins, or that have been pivoted from another same-origin XSS. ### Resolution `ChildComponentPartialRenderer` now validates `$childTag` against a strict HTML tag-name regex before interpolating it, and rejects any value that doesn't match. Anything that wouldn't be a valid HTML tag is dropped before reaching the response. The patch for this issue is available [here](https://github.com/symfony/ux/commit/fbc5e9a1bda7e4556be21bb1d970f382760ed9a9) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
Get alerted for CVEs like this
Register your stack and get notified within minutes when a matching CVE drops.
Start monitoring free