Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threat Intelligence
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-49208: CWE-20: Improper Input Validation in symfony uxCVE-2026-49208 0 Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a #[LiveProp] is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue() falls back to new $className($value), allowing client-supplied relative strings such as now, tomorrow, or +10 years to move a writable, format-less date prop past time-based business logic checks. This issue is fixed in versions 2.36.0 and 3.1.0. Join the discussion | CVE Database V5 | 07/17/2026, 16:10:49 UTC Added: 07/18/2026, 11:08:44 UTC |
CVE-2026-49211: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in symfony uxCVE-2026-49211 0 Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards (%, _, \), allowing unauthenticated users to turn the public BaseEntityAutocompleteType endpoint into a broad matcher or blind boolean oracle against every column in default searchable_fields. This issue is fixed in versions 2.36.0 and 3.1.0. Join the discussion | CVE Database V5 | 07/17/2026, 16:14:29 UTC Added: 07/18/2026, 11:08:44 UTC |
CVE-2026-49210: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in symfony uxCVE-2026-49210 0 Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml() interpolates the client-controlled children[id].tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly into HTML as a tag name without escaping or validation, allowing arbitrary HTML, including <script> tags, on any Live Component re-render that contains at least one child component. This issue is fixed in versions 2.36.0 and 3.1.0. Join the discussion | CVE Database V5 | 07/17/2026, 16:09:17 UTC Added: 07/18/2026, 11:08:42 UTC |
CVE-2026-49209: CWE-770: Allocation of Resources Without Limits or Throttling in symfony uxCVE-2026-49209 0 Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, an authenticated client can submit a single _batch request containing thousands of actions and exhaust CPU, memory, and database connections on the application server. This issue is fixed in versions 2.36.0 and 3.1.0. Join the discussion | CVE Database V5 | 07/17/2026, 16:02:06 UTC Added: 07/18/2026, 11:08:40 UTC |
CVE-2026-49212: CWE-345: Insufficient Verification of Data Authenticity in symfony uxCVE-2026-49212 0 Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier (props vs propsFromParent), or request context, allowing a signed blob minted for one component or slot to be replayed in another and set a read-only prop on a target component. This issue is fixed in versions 2.36.0 and 3.1.0. Join the discussion | CVE Database V5 | 07/17/2026, 16:03:27 UTC Added: 07/18/2026, 11:08:38 UTC |
CVE-2026-49215: CWE-352: Cross-Site Request Forgery (CSRF) in symfony uxCVE-2026-49215 0 Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gates #[LiveAction] invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and cross-origin fetch() can set it without preflight, allowing forged cross-origin #[LiveAction] requests against a victim session when applications use SameSite=None, credentials: 'include', a permissive cookie policy, or a same-origin pivot. This issue is fixed in versions 2.36.0 and 3.1.0. Join the discussion | CVE Database V5 | 07/17/2026, 16:16:42 UTC Added: 07/18/2026, 11:08:36 UTC |
CVE-2026-55878: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in symfony uxCVE-2026-55878 0 A path traversal vulnerability (CWE-22) exists in Symfony UX's ux:install console command in versions from 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0. This flaw allows crafted or compromised recipe kits to write or read files outside the intended directory by exploiting improper path validation. The issue is fixed in versions 2.36.1 and 3.2.0. Join the discussion | CVE Database V5 | 07/08/2026, 21:30:33 UTC Added: 07/08/2026, 21:44:07 UTC |
CVE-2026-55877: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in symfony uxCVE-2026-55877 0 A cross-site scripting (XSS) vulnerability exists in Symfony UX's ux_icon() Twig function and Icon::toHtml() method, which inline SVG source code verbatim without sanitization. This affects versions from 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0. The vulnerability allows execution of malicious scripts embedded in local SVG files or Iconify JSON responses containing script elements, event handlers, or dangerous URL schemes. The issue is fixed in versions 2.36.1 and 3.2.0. Join the discussion | CVE Database V5 | 07/08/2026, 21:32:37 UTC Added: 07/08/2026, 21:44:07 UTC |
Showing 1 to 8 of 8 results