PT-2026-51053 · Symfony · Ux-Live-Component

Published

2026-06-19

·

Updated

2026-06-19

·

CVE-2026-49212

CVSS v4.0

2.3

Low

VectorAV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions symfony/ux-live-component versions prior to 2.x and 3.x
Description An issue exists in the SymfonyUXLiveComponentLiveComponentHydrator where the HMAC (Hash-based Message Authentication Code) used to protect read-only props and the propsFromParent blob only covered sorted prop key/value pairs. Because the HMAC did not include the component name, the slot identifier, or request context, and utilized a single application-wide secret, signed blobs could be replayed across different components or slots if key names matched. This allows an attacker to set a read-only prop on a target component using a value they were permitted to set as a writable prop on a different component.
Recommendations Update to the latest version of the 2.x branch. Update to the latest version of the 3.x branch.

Exploit

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49212
GHSA-34W5-C283-J9FG

Affected Products

Ux-Live-Component