CVE-2026-49209: symfony/ux-live-component: Denial of service via unbounded batch action requests
Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry (event subscribers, validators, Doctrine, rendering). The array size is never bounded, so an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-live-component/CVE-2026-49209.yaml
- github.com/advisories/GHSA-mm82-c99c-h2cf
- github.com/symfony/ux/commit/95e878d5257f13d6d652ca95e3ef6bb0934d674f
- github.com/symfony/ux/security/advisories/GHSA-mm82-c99c-h2cf
- nvd.nist.gov/vuln/detail/CVE-2026-49209
Code Behaviors & Features
Detect and mitigate CVE-2026-49209 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →