php · symfony/ux-toolkitCritical

symfony/ux-toolkit: Path traversal in ux:install command

The ux:install console command is vulnerable to path traversal via the copy-files map.

20 Jun 2026Read 1 minSeverity: act now

What changed

The ux:install console command is vulnerable to path traversal via the copy-files map. The fix adds Assert::pathDoesNotEscapeDirectory() to reject paths with .. segments and a final check with Path::isBasePath() before filesystem operations.

Who it affects

Developers using symfony/ux-toolkit who run ux:install with recipe kits from untrusted sources.

What to do today

Update symfony/ux-toolkit to the latest patched version immediately.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · symfony/ux-toolkit

symfony/ux-toolkit: Path traversal in ux:install command

What changed

Who it affects

What to do today

More on symfony/ux-toolkit

jleehr/canto-saas-api: Unencoded path variables in Request::buildRequestUrl()

jleehr/canto-saas-api: OAuth2 token request now uses form-encoded POST body, exception messages sanitized