๐Ÿ” CVE Alert

CVE-2026-49211

UNKNOWN 0.0

Symfony UX: Information exposure via unescaped LIKE wildcards in EntitySearchUtil

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards (%, _, \), allowing unauthenticated users to turn the public BaseEntityAutocompleteType endpoint into a broad matcher or blind boolean oracle against every column in default searchable_fields. This issue is fixed in versions 2.36.0 and 3.1.0.

CWE CWE-200
Vendor symfony
Product ux
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for symfony ux

Be the first to know when new unknown vulnerabilities affecting symfony ux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / ux
>= 3.0.0, < 3.1.0 >= 2.2.0, < 2.36.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/ux/security/advisories/GHSA-946h-jp5c-8fvh github.com: https://github.com/symfony/ux/commit/725ab3d40689c91ff19ad2d01940a30007769214 github.com: https://github.com/symfony/ux/releases/tag/v2.36.0 github.com: https://github.com/symfony/ux/releases/tag/v3.1.0