Lucene search
+L

7 matches found

NVD
NVD
added yesterday5 views

CVE-2026-49212

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier props vs propsFromParent, or request contex...

6.9CVSS
Exploits0References4
NVD
NVD
added yesterday7 views

CVE-2026-49208

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a LiveProp is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value, allowing client-supplied...

6.9CVSS
Exploits0References4
CVE
CVE
added yesterday25 views

CVE-2026-49212

The CVE-2026-49212 issue affects Symfony UX LiveComponent: the HMAC used to protect read-only props and the propsFromParent blob did not bind to component name, slot, or request context, allowing a signed blob for one component/slot to be replayed on another and potentially set a read-only prop. ...

6.9CVSS5.2AI score
Exploits0References4
Cvelist
Cvelist
added yesterday13 views

CVE-2026-49212 Symfony UX: LiveComponentHydrator HMAC checksum lacks component and slot binding

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier props vs propsFromParent, or request contex...

6.9CVSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/19 7:34 p.m.8 views

symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding

Description In symfony/ux-live-component, a component's server-side state is exposed to the browser as a set of props LiveProp-annotated properties. Props marked writable: true can be freely changed by the client. Read-only props are round-tripped to the browser and back, and their integrity is...

6.9CVSS5.8AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/19 7:23 p.m.8 views

GHSA-89G7-22C8-3J23 ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor

Description When a LiveProp is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value. The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow",...

6.9CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.14 views

PT-2026-51053

Name of the Vulnerable Software and Affected Versions symfony/ux-live-component versions prior to 2.x and 3.x Description An issue exists in the SymfonyUXLiveComponentLiveComponentHydrator where the HMAC Hash-based Message Authentication Code used to protect read-only props and the propsFromParen...

6.9CVSS5.8AI score
Exploits0References8
Rows per page
Query Builder