Have found a security issue in Symfony? Send the details to
security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Manage your notification preferences to receive an email as soon as a Symfony security release is published.
XSS in symfony/ux-autocomplete via unescaped AJAX response data
May 29, 2026
#Security Advisories
Information exposure via unescaped LIKE wildcards in EntitySearchUtil
May 29, 2026
#Security Advisories
👍 1
LiveComponentHydrator HMAC checksum lacks component and slot binding
May 29, 2026
#Security Advisories
👍 1
CVE-2026-49215 CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
May 29, 2026
#Security Advisories
Format-less date LiveProps parsed with the permissive DateTime constructor
May 29, 2026
#Security Advisories
Denial of service in symfony/ux-live-component via unbounded batch action requests
May 29, 2026
#Security Advisories
XSS in symfony/ux-live-component via attacker-controlled child component tag
May 29, 2026
#Security Advisories
Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`
May 27, 2026
#Security Advisories
Sandbox `__toString()` policy bypass via dynamic mapping keys
May 27, 2026
#Security Advisories
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026
#Security Advisories