Moderate severityNVD Advisory· Published Sep 11, 2023· Updated Sep 26, 2024
Prevent injection of invalid entity ids for "autocomplete" fields in symfony ux-autocomplete
CVE-2023-41336
Description
ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is *not* part of the valid choices. The problem has been fixed in symfony/ux-autocomplete version 2.11.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/ux-autocompletePackagist | < 2.11.2 | 2.11.2 |
Affected products
2- symfony/ux-autocompletev5Range: < 2.11.2
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4cpv-669c-r79xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41336ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/ux-autocomplete/CVE-2023-41336.yamlghsax_refsource_MISCWEB
- github.com/symfony/ux-autocomplete/commit/fabcb2eee14b9e84a45b276711853a560b5d770cghsax_refsource_MISCWEB
- github.com/symfony/ux-autocomplete/security/advisories/GHSA-4cpv-669c-r79xghsax_refsource_CONFIRMWEB
- symfony.com/bundles/ux-autocomplete/current/index.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.