Back to CVE List

CVE-2026-49209

Vulnerability Description

Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. This issue is fixed in versions 2.36.0 and 3.1.0.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-770
Source
NVD
Vendor
symfony
Product
ux

External References

Discussion (0)

Add Comment

No comments yet. Be the first!