symfony/ux-live-component
Packagist6 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting symfony/ux-live-componentpage 1 of 1
- CVE-2025-47946MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.25.12025-05-19
vulnerable: v2.0.0 ... v2.9.1 (42 versions)
Symfony UX is an initiative and set of libraries to integrate JavaScript tools into applications. Prior to version 2.25.1, rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defa…
- CVE-2026-49208MEDIUMCVSS 0.0EG 0.0✓ Fixed in 3.1.02026-06-19
vulnerable: v3.0.0
ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor ### Description When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveCo…
- CVE-2026-49209LOWCVSS 0.0EG 0.0✓ Fixed in 3.1.02026-06-19
vulnerable: v3.0.0
symfony/ux-live-component: Denial of service via unbounded batch action requests ### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full …
- CVE-2026-49210MEDIUMCVSS 0.0EG 0.0✓ Fixed in 3.1.02026-06-19
vulnerable: v3.0.0
symfony/ux-live-component: XSS via attacker-controlled child component tag ### Description `Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml()` interpolates the `$childTag` argument directly into the HTML output as…
- CVE-2026-49212LOWCVSS 0.0EG 0.0✓ Fixed in 3.1.02026-06-19
vulnerable: v3.0.0
symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding ### Description In `symfony/ux-live-component`, a component's server-side state is exposed to the browser as a set of props (`#[LiveProp]`-an…
- CVE-2026-49215LOWCVSS 0.0EG 0.0✓ Fixed in 3.1.02026-06-19
vulnerable: v3.0.0
symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted ### Description When using `symfony/ux-live-component`, methods annotated with `#[LiveAction]` are invokable from the browser and mutate server-side s…
Check whether symfony/ux-live-component is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for symfony/ux-live-component CVEs against the assets you own.
Start Free Scan →