Cross-Origin Forgery Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-49215
2.1LOW
What is CVE-2026-49215?
The Symfony UX JavaScript ecosystem is susceptible to a cross-origin request forgery vulnerability. This flaw affects versions 2.22.0 through 2.36.0 and 3.1.0, allowing attackers to forge cross-origin requests against a user’s session. When applications have a permissive cookie policy, utilize SameSite=None, and have credentials set to 'include', the vulnerability can be exploited through the Accept header, which can be manipulated in a cross-origin fetch call. Users are encouraged to upgrade to versions 2.36.0 or 3.1.0 to mitigate this vulnerability.
Affected Version(s)
ux >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0
ux >= 2.22.0, < 2.36.0 < 2.22.0, 2.36.0
