Description
Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Published: 2026-03-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling phishing or credential theft
Action: Immediate Patch
AI Analysis

Impact

Sylius allows an attacker to redirect users to malicious sites via the HTTP Referer header in specific controller actions. The vulnerability lets an attacker deliver a link that looks legitimate, cause the browser to send the attacker's domain as the Referer, and then the shop redirects the user back to that malicious site. This can be exploited to harvest credentials or frame phishing pages, since the redirect originates from a trusted domain and does not require additional privileges.

Affected Systems

Sylius eCommerce Framework on Symfony is affected. Vulnerable versions are those prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3. Any installation of Sylius before these releases is impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. Exploitation requires the victim to click a genuine looking link from an attacker-controlled page, which is trivial for public endpoints and moderately trivial for admin‑only endpoints if an authenticated admin follows an external link. The EPSS score is below 1 %, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 17, 2026 at 09:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sylius to any of the patched releases (1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 or later).
  • Modify the application code or configuration so that CurrencySwitchController, ImpersonateUserController, and StorageBasedLocaleSwitcher no longer use the Referer header as the redirect target, validating all redirect URLs against a whitelist of trusted domains.
  • If an immediate patch is unavailable, configure the web server or a web application firewall to block redirects that point to external domains, allowing only redirects to trusted internal or whitelisted URLs.

Generated by OpenCVE AI on April 17, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ffx-f77r-756w Sylius has an Open Redirect via Referer Header
History

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sylius
Sylius sylius
Vendors & Products Sylius
Sylius sylius

Tue, 10 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Title Sylius has an Open Redirect via Referer Header
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Sylius Sylius
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:59.496Z

Reserved: 2026-03-09T17:41:56.076Z

Link: CVE-2026-31819

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:36.532Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:19.323

Modified: 2026-03-11T20:14:24.063

Link: CVE-2026-31819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses