CVE-2026-31825

Medium CVSS: 5.3

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

Vendor

Sylius

Product

Sylius

CWE

CWE-89

Yayın Tarihi

2026-03-10 22:16:20

Güncelleme

2026-03-18 19:48:52

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-89 Sylius MEDIUM Sylius 2026

Referanslar

https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m

Benzer Kayıtlar

High

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was disc…

Medium

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserContro…

High

CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulner…

Medium

CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does n…

Medium

CVE-2026-31822

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop c…

Medium

CVE-2026-31823

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerabilit…