CVE-2026-49215
Received Received - Intake

Cross-Origin Forgery in Symfony UX LiveComponent

Vulnerability report for CVE-2026-49215, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gates #[LiveAction] invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and cross-origin fetch() can set it without preflight, allowing forged cross-origin #[LiveAction] requests against a victim session when applications use SameSite=None, credentials: 'include', a permissive cookie policy, or a same-origin pivot. This issue is fixed in versions 2.36.0 and 3.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
symfony ux_live_component From 2.22.0 (inc) to 2.36.0 (inc)
symfony ux_live_component 3.1.0
symfony ux-live-component From 2.22.0 (inc) to 2.36.0 (inc)
symfony ux-live-component 3.1.0
symfony ux-live-component 2.36.0
symfony ux to 2.36.0 (inc)
symfony ux 3.1.0
symfony ux 2.36.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a CSRF protection bypass in the Symfony UX LiveComponent package. The Accept header, used to protect #[LiveAction] methods, is a CORS-safelisted header that can be set by cross-origin fetch requests without preflight. This allows attackers to forge cross-origin #[LiveAction] requests against a victim's session if the application uses SameSite=None, credentials: 'include', or permissive cookie policies.

Detection Guidance

To detect this vulnerability, inspect your Symfony UX LiveComponent requests for missing X-Requested-With: XMLHttpRequest headers alongside Accept: application/vnd.live-component+html. Check if cross-origin requests are being made without proper preflight checks. Review server logs for requests with Accept headers but no X-Requested-With header.

Impact Analysis

An attacker could trick a user into making unauthorized requests to a vulnerable Symfony UX application. This could lead to unintended actions being performed on behalf of the user, such as data modification or access, if the application relies on the vulnerable LiveComponent functionality.

Compliance Impact

This vulnerability primarily affects data integrity and security controls rather than directly violating GDPR or HIPAA. However, it could lead to unauthorized cross-origin requests that may expose sensitive user data if applications use permissive cookie policies or SameSite=None settings. Compliance risks arise if the vulnerability enables data breaches or unauthorized access, which could violate GDPR's integrity principles or HIPAA's access controls.

Mitigation Strategies

Upgrade Symfony UX LiveComponent to versions 2.36.0 or 3.1.0 or later. Ensure SameSite=Lax is used for session cookies. If SameSite=None is required, verify credentials: 'include' and cookie policies are restrictive. Update CORS configurations to allow X-Requested-With header in Access-Control-Allow-Headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49215. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart