CVE-2026-55878
Received Received - Intake

Path Traversal in Symfony UX

Vulnerability report for CVE-2026-55878, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative() accepts paths like ../../../etc, a crafted or compromised kit can write attacker-controlled content to arbitrary locations or read local files outside the recipe directory. This issue is fixed in versions 2.36.1 and 3.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
symfony ux From 2.32.0 (inc) to 2.36.1 (exc)
symfony ux From 3.0.0 (inc) to 3.2.0 (exc)
symfony ux 2.36.1
symfony ux 3.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Symfony UX, a JavaScript ecosystem for Symfony, specifically in the ux:install console command versions from 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0.

The command installs files from a recipe kit by copying paths listed in a copy-files map. However, because the Path::isRelative() function accepts paths like ../../../etc, a crafted or compromised recipe kit can exploit this to write attacker-controlled content to arbitrary locations or read local files outside the intended recipe directory.

This means an attacker can potentially manipulate the file system by reading or writing files outside the allowed scope during the installation process.

Impact Analysis

This vulnerability can have serious impacts including unauthorized reading of sensitive local files and writing of malicious or attacker-controlled files to arbitrary locations on the system.

Such actions can lead to compromise of confidentiality, integrity, and availability of the system.

Specifically, an attacker could use this to escalate privileges, implant malware, or exfiltrate sensitive data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Symfony UX to version 2.36.1 or later if you are using the 2.x series, or to version 3.2.0 or later if you are using the 3.x series.

Avoid using the ux:install console command with untrusted or compromised recipe kits, as they may exploit the path traversal issue to write or read arbitrary files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart