Symfony UX JavaScript Ecosystem Vulnerability in DateTimeInterface Handling
CVE-2026-49208
6.9MEDIUM
What is CVE-2026-49208?
The Symfony UX JavaScript ecosystem allows for improper handling of DateTimeInterface types when not explicitly formatted. In versions ranging from 2.8.0 to 2.36.0 and 3.1.0, the LiveComponentHydrator fails to validate client-supplied relative date strings effectively. This can disrupt time-sensitive operations, enabling unauthorized manipulation of date-related properties. The issue has been addressed in versions 2.36.0 and 3.1.0, enhancing robustness against potential business logic vulnerabilities.
Affected Version(s)
ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0
ux >= 2.8.0, < 2.36.0 < 2.8.0, 2.36.0
