4 matches found
CVE-2026-49209
Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, ...
CVE-2026-49209
The CVE-2026-49209 issue affects Symfony UX LiveComponent’s BatchActionController::__invoke(), which iterates over client-supplied actions and issues a full HttpKernel sub-request per entry. With unbounded action arrays, an authenticated attacker can submit a single _batch request containing thou...
Allocation of Resources Without Limits or Throttling
Overview symfony/ux-live-component is a Live components for Symfony Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via unbounded processing of client-supplied actions in BatchActionController::invoke. An attacker can cause denial of servic...
symfony/ux-live-component Denial of service via unbounded batch action requests
Description Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry event subscribers, validators, Doctrine, rendering. The array size is never bounded, so an authenticated client can...