CVE-2026-49208

Description

### Description When a `#[LiveProp]` is typed as a `DateTimeInterface` and no explicit `format` is configured, `Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue()` falls back to `new $className($value)`. The `DateTime` / `DateTimeImmutable` constructors accept relative strings such as `"now"`, `"tomorrow"`, or `"+10 years"`, so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date. ### Resolution `hydrateObjectValue()` now parses format-less date props strictly with `createFromFormat(DateTimeInterface::RFC3339, ...)`, matching the format already emitted by `dehydrateObjectValue()`. Normal round-trips are unaffected; only inputs that aren't valid RFC 3339 are now rejected, which is consistent with how a format-configured prop already behaved. The patch for this issue is available [here](https://github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

How to fix CVE-2026-49208

To remediate CVE-2026-49208, upgrade the affected package to a fixed version below.

• —upgrade to 2.36.0 or later

Is CVE-2026-49208 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49208.

Affected packages (1)

• >= 2.8.0, < 2.36.0

CVSS scores

References (4)

• PATCHgithub.com/symfony/ux
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49208.yaml
• WEBgithub.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2
• WEBgithub.com/symfony/ux/security/advisories/GHSA-89g7-22c8-3j23