Path Traversal Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-55878
7.8HIGH
What is CVE-2026-55878?
A path traversal vulnerability has been identified in the Symfony UX JavaScript ecosystem. Specifically, the ux:install console command allows an attacker to manipulate the input paths due to the way relative paths are processed. As the command can copy files from a recipe kit using a copy-files map, an adversary could create a crafted or compromised kit that exploits this weakness, leading to unauthorized file writes or reads outside the intended recipe directory. This vulnerability has been addressed in versions 2.36.1 and 3.2.0, making it essential for users to upgrade to secure their applications.
Affected Version(s)
ux >= 2.32.0, < 2.36.1 < 2.32.0, 2.36.1
ux >= 3.0.0, < 3.2.0 < 3.0.0, 3.2.0
