ux-autocomplete
by Sensiolabs
CVEs (2)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49216 | 0.00 | — | — | Jun 19, 2026 | ### Description The Stimulus controller shipped with `symfony/ux-autocomplete` renders AJAX response items into the dropdown by interpolating the `text` field directly into HTML template literals (`${item[labelField]}`) inside `_createAutocompleteWithRemoteData()`.… | |||
| CVE-2026-49211 | 0.00 | — | — | Jun 19, 2026 | ### Description `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` builds the `LIKE` expression used by the autocomplete endpoint by wrapping the client-supplied query in `%...%` without escaping the SQL `LIKE` wildcards (`%`, `_`, `\`). The value is passed… |
- CVE-2026-49216Jun 19, 2026risk 0.00cvss —epss —
### Description The Stimulus controller shipped with `symfony/ux-autocomplete` renders AJAX response items into the dropdown by interpolating the `text` field directly into HTML template literals (`${item[labelField]}`) inside `_createAutocompleteWithRemoteData()`.…
- CVE-2026-49211Jun 19, 2026risk 0.00cvss —epss —
### Description `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` builds the `LIKE` expression used by the autocomplete endpoint by wrapping the client-supplied query in `%...%` without escaping the SQL `LIKE` wildcards (`%`, `_`, `\`). The value is passed…