CVE-2026-49208: ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor
When a #[LiveProp] is typed as a DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value). The DateTime / DateTimeImmutable constructors accept relative strings such as "now", "tomorrow", or "+10 years", so a writable, format-less date prop can be pushed to an arbitrary point in time by the client. Components that rely on a date prop to gate time-based business logic can be moved past those checks by a frontend payload that no maintainer would consider a valid date.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49208.yaml
- github.com/advisories/GHSA-89g7-22c8-3j23
- github.com/symfony/ux/commit/d24d78fda6df2d5964312255943ebf3a217b79a2
- github.com/symfony/ux/security/advisories/GHSA-89g7-22c8-3j23
- nvd.nist.gov/vuln/detail/CVE-2026-49208
Code Behaviors & Features
Detect and mitigate CVE-2026-49208 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →