CVE-2026-49209

Description

### Description `Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()` iterates over the client-supplied `actions` array and issues a full `HttpKernel` sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single `_batch` request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. ### Resolution `BatchActionController` now enforces an upper bound of 50 actions per `_batch` request (`MAX_ACTIONS_PER_BATCH`) and rejects larger payloads up front with a `BadRequestHttpException`. The matching JavaScript backend was also updated to split larger client-side batches into multiple requests so legitimate usage isn't affected. The patch for this issue is available [here](https://github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

How to fix CVE-2026-49209

To remediate CVE-2026-49209, upgrade the affected package to a fixed version below.

• —upgrade to 2.36.0 or later

Is CVE-2026-49209 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-49209.

Affected packages (1)

• >= 2.5.0, < 2.36.0

CVSS scores

References (4)

• PATCHgithub.com/symfony/ux
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49209.yaml
• WEBgithub.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f
• WEBgithub.com/symfony/ux/security/advisories/GHSA-mm82-c99c-h2cf