4 matches found
CVE-2026-55878 Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest
Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative accepts paths like ../../../etc, a crafted or...
CVE-2026-55878
The CVE-2026-55878 issue affects Symfony UX Toolkit. Affected: Symfony UX versions 2.32.0–2.36.0 and 3.0.0–3.1.x (pre-2.36.1/3.2.0). The ux:install console command copies files from a recipe kit using paths listed in copy-files; because Path::isRelative() treats paths like ../../../etc as relativ...
symfony/ux-toolkit Path Traversal allows arbitrary file write and read via crafted recipe manifest
Description The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative, which returns true for paths like ../../../etc. Path::join then resolves the .. segments without complaint, so the...
PT-2026-51123
Name of the Vulnerable Software and Affected Versions Symfony UX versions 2.32.0 through 2.36.0 Symfony UX versions 3.0.0 through 3.1.9 Description The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. Due to improper validation in...