2 matches found
GHSA-946H-JP5C-8FVH symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Description Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping the SQL LIKE wildcards %, , . The value is passed as a bound parameter, so this is not SQL...
PT-2026-51052
Name of the Vulnerable Software and Affected Versions Symfony UX versions 2.2.0 through 2.35.0 Description In the SymfonyUXAutocompleteDoctrineEntitySearchUtil::addSearchClause function, the LIKE expression for the autocomplete endpoint is constructed by wrapping the client-supplied query in %......