Critical Vulnerability Information Vulnerability Title Unsanitized HTML attribute injection via ComponentAttributes Severity Level: Moderate (6.1/10) CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: Required - Scope: Changed - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None Affected Packages and Versions symfony/ux-live-component: <2.25.1 symfony/ux-twig-component: <2.25.1 Fixed Versions symfony/ux-live-component: 2.25.1 symfony/ux-twig-component: 2.25.1 Description and Impact Rendering or using methods that return a instance (such as , , ) directly outputs attribute values without escaping. If these values are unsafe (e.g., containing user input), this may lead to HTML attribute injection and XSS vulnerabilities. Fix Details The issue has been resolved in version 2.25.1 of by properly escaping HTML attributes within using Twig’s . If you are using , you must also upgrade to version 2.25.1 to benefit from the fix, as it internally reuses the class. Workarounds Before upgrading, avoid directly rendering or derived objects that may contain untrusted values. Instead, use to safely output individual attributes. References GitHub Repository: symfony/ux CVE ID CVE-2025-47946 Weakness CWE-79