Cross-Site Scripting Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49212

6.9MEDIUM

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49212?

The Symfony UX JavaScript ecosystem has a vulnerability in versions from 2.8.0 to 2.36.0, and 3.1.0 due to HMAC calculations that failed to include critical components such as the component name, slot identifier, and request context. This oversight allows for the potential replay of a signed blob, which could incorrectly set read-only properties on intended target components. This introduces significant security risks due to improper validation, making it essential for users to upgrade to versions 2.36.0 or 3.1.0, which contain the necessary fixes to mitigate these risks.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux < 2.36.0 < 2.36.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.