Description Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom "file_excerpt" filter. This filter renders PHP files via "highlight_string()" (which escapes HTML), but renders non-PHP files by splitting on "\n" and interpolating each line directly into "<code>{$line}</code>" with no escaping. An attacker who can write arbitrary bytes into any file under the project root (including e.g. "var/log/dev.log"), achieves stored XSS against any developer who later opens that file in the profiler. Resolution The "file_excerpt" filter now properly escapes each line of non-PHP files using "htmlspecialchars()" before concatenating them. The patch for this issue is available "here" (https://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb) for branch 6.4. Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.