Description
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Published: 2026-03-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client-side Script Execution via XSS
Action: Apply Patch
AI Analysis

Impact

A cross-site scripting flaw exists in the Sylius checkout login form. When a login attempt fails, the AuthenticationFailureHandler returns a JSON response whose message field is inserted directly into the page with innerHTML. Any HTML or JavaScript in that message is executed by the browser, allowing an attacker to run malicious scripts in the victim's context.

Affected Systems

Sylius eCommerce Framework by Sylius. Versions below 2.0.16, 2.1.12, or 2.2.3 are vulnerable. The issue was fixed in those releases and all later versions.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity. The EPSS score of less than 1% indicates a low likelihood of exploitation at this time, and the vulnerability is not present in the CISA KEV catalog. Based on the description, the flaw triggers when a failed login attempt produces a JSON response that includes a message field rendered with innerHTML. The description implies that an attacker can influence the content of that message, which will be executed by the browser when rendered in the victim’s session. The risk is therefore limited to contexts where the checkout login form is displayed and the message is rendered; it does not involve server‑side code execution or privilege escalation.

Generated by OpenCVE AI on April 17, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sylius to a patched release (2.0.16, 2.1.12, or 2.2.3 or later) as per the vendor advisory.
  • Refactor any custom code that renders the authentication failure message so it does not use innerHTML, instead using safe text insertion or sanitization.
  • If an immediate upgrade is not possible, escape or encode the message content before inserting it into the DOM to prevent script execution.

Generated by OpenCVE AI on April 17, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgh8-c6fp-7gcg Sylius has a XSS vulnerability in checkout login form
History

Wed, 11 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sylius
Sylius sylius
Vendors & Products Sylius
Sylius sylius

Tue, 10 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Title Sylius has a XSS vulnerability in checkout login form
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Sylius Sylius
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:48.465Z

Reserved: 2026-03-09T17:41:56.076Z

Link: CVE-2026-31822

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:33.785Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T22:16:19.810

Modified: 2026-03-11T19:32:26.917

Link: CVE-2026-31822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses