SQL Injection Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49211

6.9MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49211?

The Symfony UX JavaScript ecosystem contains a vulnerability in the Autocomplete functionality. The method used to build LIKE expressions in the autocomplete endpoint fails to properly escape SQL wildcard characters in user-supplied queries. This oversight allows unauthorized users to manipulate the public BaseEntityAutocompleteType endpoint, resulting in exposure to broad search results across all searchable fields. The issue has been addressed in Symfony UX versions 2.36.0 and 3.1.0.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux >= 2.2.0, < 2.36.0 < 2.2.0, 2.36.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.