๐Ÿ” CVE Alert

CVE-2026-49212

UNKNOWN 0.0

Symfony UX: LiveComponentHydrator HMAC checksum lacks component and slot binding

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier (props vs propsFromParent), or request context, allowing a signed blob minted for one component or slot to be replayed in another and set a read-only prop on a target component. This issue is fixed in versions 2.36.0 and 3.1.0.

CWE CWE-345
Vendor symfony
Product ux
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for symfony ux

Be the first to know when new unknown vulnerabilities affecting symfony ux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / ux
>= 3.0.0, < 3.1.0 < 2.36.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/ux/security/advisories/GHSA-34w5-c283-j9fg github.com: https://github.com/symfony/ux/commit/a224b5af3e2e33ee14ac71356ae0e0877900a81c github.com: https://github.com/symfony/ux/releases/tag/v2.36.0 github.com: https://github.com/symfony/ux/releases/tag/v3.1.0