Symfony UX JavaScript Ecosystem Vulnerability in DateTimeInterface Handling
CVE-2026-49208

6.9MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49208?

The Symfony UX JavaScript ecosystem allows for improper handling of DateTimeInterface types when not explicitly formatted. In versions ranging from 2.8.0 to 2.36.0 and 3.1.0, the LiveComponentHydrator fails to validate client-supplied relative date strings effectively. This can disrupt time-sensitive operations, enabling unauthorized manipulation of date-related properties. The issue has been addressed in versions 2.36.0 and 3.1.0, enhancing robustness against potential business logic vulnerabilities.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux >= 2.8.0, < 2.36.0 < 2.8.0, 2.36.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.