Affected versions Symfony versions >=2.5.0, =3.0.0, <3.1.0 of the Symfony UX Live Component component are affected by this security issue. The issue has been fixed in Symfony 2.36.0, 3.1.0. Description Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke()…
Affected versions Symfony versions >=2.8.0, =3.0.0, <3.1.0 of the Symfony UX Live Component component are affected by this security issue. The issue has been fixed in Symfony 2.36.0, 3.1.0. Description When a #[LiveProp] is typed…
Affected versions Symfony versions >=2.2.0, =3.0.0, <3.1.0 of the Symfony UX Autocomplete component are affected by this security issue. The issue has been fixed in Symfony 2.36.0, 3.1.0. Description Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()…
Symfony UX 3.1.0 is the first feature release on the 3.x branch. It brings a brand-new Calendar Link component, provide() and inject() functions for Twig components, a modern custom element and Twig component for Turbo Mercure streams, Turbo Frame request…
Symfony UX 2.36.0 is a security release for the 2.x branch: it fixes seven vulnerabilities in the LiveComponent and Autocomplete packages, two of them rated medium severity. If your application depends on symfony/ux-live-component or symfony/ux-autocomplete,…
Save the date! SymfonyOnline June 2026 will take place online on June 11-12, 2026, with 15 expert speakers streaming directly to you. 🎤 Speaker announcement! Guillaume Loulier, Technical Expert, SensioLabs, will be taking the virtual stage to present…
SymfonyOnline June 2026 is officially scheduled for June 11 and 12, 2026! Join us online for two tracks of cutting-edge tech talks: one full day dedicated to AI and another full day focus on Symfony Deep Dive. 🎤 Speaker announcement! We are excited…
Symfony includes two components dedicated to working with JSON: JsonStreamer encodes PHP data into JSON and decodes JSON back into PHP objects by streaming the contents, which provides high performance and low memory usage even for large payloads; JsonPath…
Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded __toString()…
Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description The per-template filter, tag and function allow-list check is compiled into the checkSecurity() method of each Template…
Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded __toString()…
Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description The 3.26.0 source-policy hardening changed the signature of CoreExtension::checkArrow() to take a boolean $isSandboxed…
Affected versions Twig versions <=3.26.0 are affected by this security issue. The issue has been fixed in Twig 3.27.0. Description This is a residual bypass of CVE-2026-46635 / GHSA-vcc8-phrv-43wj that only affects sandboxing enabled through SourcePolicyInterface…
Get ready for SymfonyOnline June 2026 This event will bring the international PHP community together online from June 11 to 12, 2026. This year, we are shaking things up with a brand-new format: one full day dedicated to AI and another full day focus…
Affected versions Symfony versions >=1.17.1, <1.38.1 of the Symfony Polyfill and Symfony Polyfill Intl Idn components are affected by this security issue. The issue has been fixed in Symfony 1.38.1. Description symfony/polyfill-intl-idn provides…