CVE-2026-49211: symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping the SQL LIKE wildcards (%, _, \). The value is passed as a bound parameter, so this is not SQL injection, but a client can send % to match every row or use _ as a single-character wildcard.
Because searchable_fields defaults to every property of the entity and the autocomplete endpoint is public by default (BaseEntityAutocompleteType ships with security => false), an unauthenticated user can turn the endpoint into a broad matcher or a blind boolean oracle against every column of the entity, including columns the application never intended to expose.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2026-49211.yaml
- github.com/advisories/GHSA-946h-jp5c-8fvh
- github.com/symfony/ux/commit/725ab3d40689c91ff19ad2d01940a30007769214
- github.com/symfony/ux/security/advisories/GHSA-946h-jp5c-8fvh
- nvd.nist.gov/vuln/detail/CVE-2026-49211
Code Behaviors & Features
Detect and mitigate CVE-2026-49211 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →