CVE-2026-49211

SymfonyUXAutocompleteDoctrineEntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping the SQL LIKE wildcards (%, , ``). The value is passed as a bound parameter, so this is not SQL injection, but a client can send % to match every row or use as a single-character wildcard.

Because searchable fields defaults to every property of the entity and the autocomplete endpoint is public by default (BaseEntityAutocompleteType ships with security => false), an unauthenticated user can turn the endpoint into a broad matcher or a blind boolean oracle against every column of the entity, including columns the application never intended to expose.

EntitySearchUtil now escapes ``, %, and in the user-supplied query with addcslashes() and appends an explicit ESCAPE '' clause to the generated LIKE expression, so those characters are matched literally. The exact-match words query IN() branch is unchanged.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Symfony would like to thank Pascal Cescon for reporting the issue and providing the fix.