symfony/ux-live-component Security Advisories for v2.13.0 (5)
-
symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor
PKSA-kwkg-rq7h-gh18 CVE-2026-49208
Affected version: >=2.8.0,<2.36.0|>=3.0.0,<3.1.0
Reported by:
FriendsOfPHP/security-advisories -
symfony/ux-live-component Denial of service via unbounded batch action requests
PKSA-tv34-cfvx-rr9r CVE-2026-49209
Affected version: >=2.5.0,<2.36.0|>=3.0.0,<3.1.0
Reported by:
FriendsOfPHP/security-advisories -
symfony/ux-live-component XSS via attacker-controlled child component tag
PKSA-87hx-5gp4-x12b CVE-2026-49210
Affected version: >=2.8.0,<2.36.0|>=3.0.0,<3.1.0
Reported by:
FriendsOfPHP/security-advisories -
symfony/ux-live-component LiveComponentHydrator HMAC checksum lacks component and slot binding
PKSA-wxdb-kw41-yhdy CVE-2026-49212
Affected version: >=2.8.0,<2.36.0|>=3.0.0,<3.1.0
Reported by:
FriendsOfPHP/security-advisories -
[MEDIUM] symfony/ux-live-component Unsanitized HTML attribute injection via ComponentAttributes
PKSA-9bp8-3bj8-8jj2 CVE-2025-47946 GHSA-5j3w-5pcr-f8hg
Affected version: <2.25.1
Reported by:
GitHub, FriendsOfPHP/security-advisories