๐Ÿ” CVE Alert

CVE-2026-55878

HIGH 7.8

Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest

CVSS Score
7.8
EPSS Score
0.1%
EPSS Percentile
4th

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative() accepts paths like ../../../etc, a crafted or compromised kit can write attacker-controlled content to arbitrary locations or read local files outside the recipe directory. This issue is fixed in versions 2.36.1 and 3.2.0.

CWE CWE-22
Vendor symfony
Product ux
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for symfony ux

Be the first to know when new high vulnerabilities affecting symfony ux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

symfony / ux
>= 2.32.0, < 2.36.1 >= 3.0.0, < 3.2.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q github.com: https://github.com/symfony/ux/commit/7b4ddf3764bf269a1b5fde5bf03c4bce568694e4 github.com: https://github.com/symfony/ux/releases/tag/v2.36.1 github.com: https://github.com/symfony/ux/releases/tag/v3.2.0