Cross-Origin Forgery Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49215

2.1LOW

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-49215?

The Symfony UX JavaScript ecosystem is susceptible to a cross-origin request forgery vulnerability. This flaw affects versions 2.22.0 through 2.36.0 and 3.1.0, allowing attackers to forge cross-origin requests against a user’s session. When applications have a permissive cookie policy, utilize SameSite=None, and have credentials set to 'include', the vulnerability can be exploited through the Accept header, which can be manipulated in a cross-origin fetch call. Users are encouraged to upgrade to versions 2.36.0 or 3.1.0 to mitigate this vulnerability.

Affected Version(s)

ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

ux >= 2.22.0, < 2.36.0 < 2.22.0, 2.36.0

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.