Symfony UX 3.2.0 and 2.36.1 fix two security issues in UX Icons and UX Toolkit, while 3.2.0 also brings new TwigComponent, Toolkit and Native features.
June 19, 2026
#Symfony UX
❤️ 1
👍 3
XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
June 19, 2026
#Symfony UX
Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest
June 19, 2026
#Symfony UX
LiveComponentHydrator HMAC checksum lacks component and slot binding
May 29, 2026
#Symfony UX
👍 1
Information exposure via unescaped LIKE wildcards in EntitySearchUtil
May 29, 2026
#Symfony UX
👍 1
Format-less date LiveProps parsed with the permissive DateTime constructor
May 29, 2026
#Symfony UX
Denial of service in symfony/ux-live-component via unbounded batch action requests
May 29, 2026
#Symfony UX
XSS in symfony/ux-live-component via attacker-controlled child component tag
May 29, 2026
#Symfony UX
XSS in symfony/ux-autocomplete via unescaped AJAX response data
May 29, 2026
#Symfony UX
CVE-2026-49215 CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
May 29, 2026
#Symfony UX