CVE-2026-49209
Vulnerability Description
Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. This issue is fixed in versions 2.36.0 and 3.1.0.
Vulnerability Details
Published Date
Last Modified
CWE ID
CWE-770
Source
NVD
Vendor
symfony
Product
ux
Discussion (0)
Add Comment
No comments yet. Be the first!