Cross-Site Scripting Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49212
6.9MEDIUM
What is CVE-2026-49212?
The Symfony UX JavaScript ecosystem has a vulnerability in versions from 2.8.0 to 2.36.0, and 3.1.0 due to HMAC calculations that failed to include critical components such as the component name, slot identifier, and request context. This oversight allows for the potential replay of a signed blob, which could incorrectly set read-only properties on intended target components. This introduces significant security risks due to improper validation, making it essential for users to upgrade to versions 2.36.0 or 3.1.0, which contain the necessary fixes to mitigate these risks.
Affected Version(s)
ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0
ux < 2.36.0 < 2.36.0
