In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.
https://www.synology.com/security/advisory/Synology_SA_19_19
https://www.drupal.org/sa-core-2019-005
https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine
https://github.com/symfony/symfony/commit/ab4d05358c3d0dd1a36fc8c306829f68e3dd84e2