Resource Exhaustion Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49209

5.3MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49209?

A resource exhaustion vulnerability exists in the Symfony UX JavaScript ecosystem due to the uncontrolled iteration of client-supplied actions. Specifically, the BatchActionController::__invoke() method does not limit the size of the actions array, allowing authenticated clients to submit a single _batch request with numerous actions. This can lead to excessive consumption of CPU, memory, and connections on the application server, potentially causing service disruptions. The issue has been resolved in Symfony UX versions 2.36.0 and 3.1.0, highlighting the importance of upgrading to these versions to maintain system performance and security.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux >= 2.5.0, < 2.36.0 < 2.5.0, 2.36.0

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.