symfony/ux-live-component Denial of service via unbounded batch action requests

PKSA-tv34-cfvx-rr9r CVE-2026-49209

Affected version: >=2.5.0,<2.36.0|>=3.0.0,<3.1.0

Reported by:
FriendsOfPHP/security-advisories

[MEDIUM] symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes

PKSA-9bp8-3bj8-8jj2 CVE-2025-47946 GHSA-5j3w-5pcr-f8hg

Affected version: <2.25.1

Reported by:
GitHub, FriendsOfPHP/security-advisories