Path Traversal Vulnerability in Symfony UX JavaScript Ecosystem
CVE-2026-55878

7.8HIGH

Key Information:

Vendor

Symfony

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-55878?

A path traversal vulnerability has been identified in the Symfony UX JavaScript ecosystem. Specifically, the ux:install console command allows an attacker to manipulate the input paths due to the way relative paths are processed. As the command can copy files from a recipe kit using a copy-files map, an adversary could create a crafted or compromised kit that exploits this weakness, leading to unauthorized file writes or reads outside the intended recipe directory. This vulnerability has been addressed in versions 2.36.1 and 3.2.0, making it essential for users to upgrade to secure their applications.

Affected Version(s)

ux >= 2.32.0, < 2.36.1 < 2.32.0, 2.36.1

ux >= 3.0.0, < 3.2.0 < 3.0.0, 3.2.0

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.