Lucene search
+L

7 matches found

NVD
NVD
added yesterday6 views

CVE-2026-49215

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS
Exploits0References4
NVD
NVD
added yesterday5 views

CVE-2026-49212

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier props vs propsFromParent, or request contex...

6.9CVSS
Exploits0References4
Cvelist
Cvelist
added yesterday20 views

CVE-2026-49215 Symfony UX: CSRF Protection Bypass in symfony/ux-live-component — Accept Header is CORS-Safelisted

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS
Exploits0References4
EUVD
EUVD
added yesterday5 views

EUVD-2026-45218

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS5.3AI score
Exploits0References4
CVE
CVE
added yesterday17 views

CVE-2026-49208

CVE-2026-49208 (Symfony UX LiveComponent) : Vulnerability occurs when a writable #[LiveProp] is typed as DateTimeInterface with no explicit format, allowing client-supplied strings like now/tomorrow/+10 years to bypass checks via LiveComponentHydrator::hydrateObjectValue(), effectively moving tim...

6.9CVSS5.2AI score
Exploits0References4
Cvelist
Cvelist
added yesterday12 views

CVE-2026-49209 Symfony UX: Denial of service in symfony/ux-live-component via unbounded batch action requests

Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, ...

5.3CVSS
Exploits0References4
OSV
OSV
added 2026/06/26 10:20 p.m.48 views

GHSA-7VFX-4246-JCFH SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings

Summary Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifyi...

9.3CVSS5.8AI score
Exploits0References2
Rows per page
Query Builder