CVE-2026-49215
Symfony UX: CSRF Protection Bypass in symfony/ux-live-component โ Accept Header is CORS-Safelisted
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gates #[LiveAction] invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and cross-origin fetch() can set it without preflight, allowing forged cross-origin #[LiveAction] requests against a victim session when applications use SameSite=None, credentials: 'include', a permissive cookie policy, or a same-origin pivot. This issue is fixed in versions 2.36.0 and 3.1.0.
| CWE | CWE-352 |
| Vendor | symfony |
| Product | ux |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for symfony ux
Be the first to know when new unknown vulnerabilities affecting symfony ux are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
symfony / ux
>= 3.0.0, < 3.1.0 >= 2.22.0, < 2.36.0