CVE-2026-49215

Name of the Vulnerable Software and Affected Versions Symfony UX LiveComponent versions prior to 2.x Symfony UX LiveComponent versions prior to 3.x

Description Methods annotated with #[LiveAction] in symfony/ux-live-component are invokable from the browser to mutate server-side state via AJAX. The function isLiveComponentRequest() previously relied on the presence of the Accept: application/vnd.live-component+html header for CSRF protection. However, because the Accept header is a CORS-safelisted request header, it can be set via cross-origin fetch() without triggering a preflight request, allowing #[LiveAction] calls to be forged cross-origin against a victim's session. This risk is higher for applications using SameSite=None session cookies or permissive cookie policies.

Recommendations Update to the patched version of the 2.x branch. Update to the patched version of the 3.x branch.