PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49208 symfony CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:15.380Z and has not been modified since then. Symfony UX, a JavaScript ecosystem for Symfony, has a security vulnerability in LiveComponentHydrator when handling DateTimeInterface types without explicit formats. This allows client-supplied relative strings like 'now' or '+10 years' to move a writable, format-less date prop past time-based business logic checks. The issue is fixed in versions 2.36.0 and 3.1.0. Developers and administrators using Symfony UX versions 2.8.0 to 2.36.0 and 3.1.0 should verify and apply patches to prevent potential security issues.

Vendor
symfony
Product
ux
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers and administrators using Symfony UX versions 2.8.0 to 2.36.0 and 3.1.0 should verify and apply patches to prevent potential security issues. This includes reviewing and updating business logic checks to handle date/time inputs securely and monitoring for any client-supplied input that could manipulate date/time values.

Technical summary

In Symfony UX, a security vulnerability exists in LiveComponentHydrator when handling DateTimeInterface types without explicit formats. Client-supplied relative strings like 'now' or '+10 years' can bypass time-based business logic checks, potentially leading to security issues. This is fixed in versions 2.36.0 and 3.1.0. Affected deployments should be verified, and patches applied to prevent exploitation.

Defensive priority

Medium priority due to CVSS score of 6.9 and potential impact on business logic checks.

Recommended defensive actions

  • Verify and apply patches for Symfony UX to versions 2.36.0 or 3.1.0.
  • Review and update business logic checks to handle date/time inputs securely.
  • Monitor for any client-supplied input that could manipulate date/time values.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and affected versions. Additional details can be found in the source references and GitHub advisories. To verify, defenders should review the official CVE record, NVD detail, and GitHub releases for Symfony UX. The vulnerability allows client-supplied relative strings to manipulate date/time values, potentially bypassing time-based business logic checks. Evidence is limited to public sources, and further verification may be necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:15.380Z and has not been modified since then.