CVE-2026-49209
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. This issue is fixed in versions 2.36.0 and 3.1.0.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM



