CVE-2026-49208
Received Received - Intake

DateTime Injection in Symfony UX LiveComponent

Vulnerability report for CVE-2026-49208, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a #[LiveProp] is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value), allowing client-supplied relative strings such as now, tomorrow, or +10 years to move a writable, format-less date prop past time-based business logic checks. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
symfony ux_live_component From 2.8.0 (inc) to 2.36.0 (exc)
symfony ux_live_component From 3.0.0 (inc) to 3.1.0 (exc)
symfony ux_live_component 2.36.0
symfony ux_live_component 3.1.0
symfony ux From 2.8.0 (inc) to 2.36.0 (inc)
symfony ux 3.1.0
symfony ux 2.36.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Symfony UX LiveComponent versions between 2.8.0 and 2.36.0, and 3.0.0 and 3.1.0. It involves improper parsing of format-less date LiveProps typed as DateTimeInterface. The hydrator incorrectly uses the DateTime constructor, allowing client-supplied relative date strings like 'now' or 'tomorrow' to set arbitrary dates, bypassing time-based business logic checks.

Detection Guidance

Check Symfony UX LiveComponent versions with: composer show symfony/ux-live-component. If version is >=2.8.0 and <2.36.0 or >=3.0.0 and <3.1.0, the system is vulnerable. Review application code for #[LiveProp] DateTimeInterface fields without explicit format configuration.

Impact Analysis

An attacker could manipulate date values in applications using vulnerable versions, potentially bypassing time-based restrictions or validations. This might allow unauthorized changes to time-sensitive operations, such as altering deadlines, modifying timestamps, or circumventing business logic that relies on date comparisons.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by allowing unauthorized manipulation of date values in applications handling sensitive data. If time-based business logic checks are bypassed, it may lead to improper data processing or access controls, violating regulatory requirements for data integrity and security.

Mitigation Strategies

Upgrade Symfony UX LiveComponent to version 2.36.0 or 3.1.0 or later. Update composer.json to require these versions and run composer update. Review and update any #[LiveProp] DateTimeInterface fields to include explicit format configuration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49208. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart