symfony/ux-live-component Format-less date LiveProps parsed with the permissive DateTime constructor

PKSA-kwkg-rq7h-gh18 CVE-2026-49208

Affected package: symfony/ux-live-component

Affected version: >=2.8.0,<2.36.0|>=3.0.0,<3.1.0

Reported by:
FriendsOfPHP/security-advisories