CVE-2026-49211

描述

### Description `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` builds the `LIKE` expression used by the autocomplete endpoint by wrapping the client-supplied query in `%...%` without escaping the SQL `LIKE` wildcards (`%`, `_`, `\`). The value is passed as a bound parameter, so this is not SQL injection, but a client can send `%` to match every row or use `_` as a single-character wildcard. Because `searchable_fields` defaults to every property of the entity and the autocomplete endpoint is public by default (`BaseEntityAutocompleteType` ships with `security => false`), an unauthenticated user can turn the endpoint into a broad matcher or a blind boolean oracle against every column of the entity, including columns the application never intended to expose. ### Resolution `EntitySearchUtil` now escapes `\`, `%`, and `_` in the user-supplied query with `addcslashes()` and appends an explicit `ESCAPE '\'` clause to the generated `LIKE` expression, so those characters are matched literally. The exact-match `words_query` `IN()` branch is unchanged. The patch for this issue is available [here](https://github.com/symfony/ux/commit/725ab3d40689c91ff19ad2d01940a30007769214) for branch 2.x (and forward-ported to 3.x). ### Credits Symfony would like to thank Pascal Cescon for reporting the issue and providing the fix.

如何修補 CVE-2026-49211

要修補 CVE-2026-49211,請將受影響套件升級到下列已修補版本。

• —升級至 2.36.0 或更新版本

CVE-2026-49211 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-49211 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• >= 2.2.0, < 2.36.0

CVSS 分數

參考連結(4)

• PATCHgithub.com/symfony/ux
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2026-49211.yaml
• WEBgithub.com/symfony/ux/commit/725ab3d40689c91ff19ad2d01940a30007769214
• WEBgithub.com/symfony/ux/security/advisories/GHSA-946h-jp5c-8fvh