CVE-2026-49211
Received Received - Intake

SQL Injection in Symfony UX Autocomplete

Vulnerability report for CVE-2026-49211, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards (%, _, \), allowing unauthenticated users to turn the public BaseEntityAutocompleteType endpoint into a broad matcher or blind boolean oracle against every column in default searchable_fields. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
symfony ux From 2.2.0 (inc) to 2.36.0 (inc)
symfony ux From 3.0.0 (inc) to 3.0.9 (inc)
symfony ux to 2.36.0 (inc)
symfony ux 3.1.0
symfony ux 2.36.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Symfony UX Autocomplete versions 2.2.0 to 2.35.0 and 3.0.0 to 3.0.9. It allows unauthenticated users to manipulate LIKE wildcards in search queries by wrapping input in %...% without escaping. Attackers can use % to match all rows or _ to match single characters, turning the autocomplete endpoint into a broad matcher or blind boolean oracle against all searchable entity columns.

Detection Guidance

To detect this vulnerability, inspect your Symfony UX Autocomplete component version. Check if you are running versions between 2.2.0-2.35.0 or 3.0.0-3.0.9. Review application logs for unusual search patterns using wildcards like % or _ in autocomplete queries.

Impact Analysis

If you use affected Symfony UX Autocomplete versions, attackers could extract sensitive data by crafting search queries with wildcards. They might bypass intended search filters, retrieve unintended records, or perform blind boolean queries to infer data patterns. The public autocomplete endpoint makes this exploitable without authentication.

Compliance Impact

This vulnerability could lead to unauthorized data exposure, violating GDPR's data protection principles (Article 5) and HIPAA's security requirements for protecting PHI. Uncontrolled data access risks non-compliance with access controls and audit obligations, potentially resulting in regulatory penalties or data breach notifications.

Mitigation Strategies

Upgrade Symfony UX Autocomplete to versions 2.36.0 or 3.1.0 or later. If immediate upgrade is not possible, apply the patch from the commit 725ab3d40689c91ff19ad2d01940a30007769214 to escape wildcards in search queries.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49211. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart