๐Ÿ” CVE Alert

CVE-2026-49215

UNKNOWN 0.0

Symfony UX: CSRF Protection Bypass in symfony/ux-live-component โ€” Accept Header is CORS-Safelisted

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gates #[LiveAction] invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and cross-origin fetch() can set it without preflight, allowing forged cross-origin #[LiveAction] requests against a victim session when applications use SameSite=None, credentials: 'include', a permissive cookie policy, or a same-origin pivot. This issue is fixed in versions 2.36.0 and 3.1.0.

CWE CWE-352
Vendor symfony
Product ux
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for symfony ux

Be the first to know when new unknown vulnerabilities affecting symfony ux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

symfony / ux
>= 3.0.0, < 3.1.0 >= 2.22.0, < 2.36.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/ux/security/advisories/GHSA-4m4j-hmqq-3gxm github.com: https://github.com/symfony/ux/commit/aed7493db2b4b7bf1f9c79b33cda544f06904b27 github.com: https://github.com/symfony/ux/releases/tag/v2.36.0 github.com: https://github.com/symfony/ux/releases/tag/v3.1.0