Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a #[LiveProp] is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value), allowing client-supplied relative strings such as now, tomorrow, or +10 years to move a writable, format-less date prop past time-based business logic checks. This issue is fixed in versions 2.36.0 and 3.1.0.

Project Subscriptions

Vendors Products
Symfony Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89g7-22c8-3j23 ux-live-component: Format-less date LiveProps parsed with the permissive DateTime constructor
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 17 Jul 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Symfony
Symfony ux
Vendors & Products Symfony
Symfony ux

Fri, 17 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Description Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a #[LiveProp] is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value), allowing client-supplied relative strings such as now, tomorrow, or +10 years to move a writable, format-less date prop past time-based business logic checks. This issue is fixed in versions 2.36.0 and 3.1.0.
Title Symfony UX: Format-less date LiveProps parsed with the permissive DateTime constructor
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-17T16:10:49.101Z

Reserved: 2026-05-28T03:42:34.340Z

Link: CVE-2026-49208

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T17:45:04Z

Weaknesses