PT-2026-51050 · Symfony · Symfony Ux Live
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-49209
CVSS v4.0
1.3
Low
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
Name of the Vulnerable Software and Affected Versions
Symfony UX Live Component versions prior to 2.x
Symfony UX Live Component versions prior to 3.x
Description
The
BatchActionController:: invoke() function iterates over a client-supplied actions array and issues a full HttpKernel sub-request for each entry, involving event subscribers, validators, Doctrine, and rendering. Because the array size is not bounded, an authenticated client can submit a single batch request containing thousands of actions, leading to the exhaustion of CPU, memory, and database connections on the application server, resulting in a Denial of Service.Recommendations
Update to the patched version for branch 2.x.
Update to the patched version for branch 3.x.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Symfony Ux Live