CVE-2026-45072

Description

### Description Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom `file_excerpt` filter. This filter renders PHP files via `highlight_string()` (which escapes HTML), but renders **non-PHP files** by splitting on `\n` and interpolating each line directly into `<code>{$line}</code>` with no escaping. An attacker who can write arbitrary bytes into any file under the project root (including e.g. `var/log/dev.log`), achieves **stored XSS** against any developer who later opens that file in the profiler. ### Resolution The `file_excerpt` filter now properly escapes each line of non-PHP files using `htmlspecialchars()` before concatenating them. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb) for branch 6.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Affected packages (4)

• Debian/symfonyfrom 0
• Packagist/symfony/symfony>= 6.4.24, < 6.4.40
• Packagist/symfony/twig-bridge>= 6.4.24, < 6.4.40
• Packagist/symfony/web-profiler-bundle>= 7.2.9, < 7.4.12

CVSS scores

References (8)

• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45072
• PATCHhttps://github.com/symfony/symfony
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45072.yaml
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/twig-bridge/CVE-2026-45072.yaml
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/web-profiler-bundle/CVE-2026-45072.yaml
• WEBhttps://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb
• WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-hmr5-2xcr-v8pp
• WEBhttps://symfony.com/cve-2026-45072