CVE-2026-31823 - Vulnerability Details

- Sylius has Authenticated Stored XSS

Description

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

Published: 2026-03-10

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated user can inject malicious HTML or JavaScript that is persisted through entity names such as taxon or product names and rendered by the Sylius eCommerce Framework. The vulnerability arises from unsanitized output in Twig templates and JavaScript literal interpolation, allowing script execution in the context of any browser that views pages containing those entities. The weakness is a classic stored cross‑site scripting flaw, classified as CWE-79, which can lead to session hijacking, credential theft, defacement, or further exploitation of users who visit affected pages.

Affected Systems

The issue affects the Sylius eCommerce Framework, which is built on Symfony. An attacker must be able to modify or create entity names (taxons, products, etc.) in the administrative interface. Vendors and product: Sylius:Sylius. Versions impacted cover all releases before the following patches: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above are safe.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.8, indicating moderate severity. Its EPSS score is below 1%, suggesting low probability of widespread exploitation at present, and it is not listed in the CISA KEV catalog. However, because an attacker must be authenticated to inject payloads, the attack surface is limited to privileged users. Once injected, the script executes in the browsers of all users who view pages that render the compromised entity, allowing attackers to steal session cookies or hijack accounts. The official Fixes are available, so the risk drops to negligible once the system is updated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Sylius

affected

Version	Status	Constraints
`>= 2.2.0, < 2.2.3`	affected	—
`>= 2.1.0, < 2.1.12`	affected	—
`>= 2.0.0, < 2.0.16`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::

No data.

Vendor Product Confidence Versions

Sylius

100%

Version	Status	Scheme	Platform
`[2.2.0,2.2.3)`	affected	semver	—
`[2.1.0,2.1.12)`	affected	semver	—
`[2.0.0,2.0.16)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Sylius to any of the fixed releases (1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 or newer).
After upgrading, clear the Symfony cache and restart the web server to ensure the new code is loaded.
If an immediate upgrade is not possible, review and sanitize existing entity names (taxon and product names) to remove any markup that could be interpreted as script.

Generated by OpenCVE AI on April 16, 2026 at 03:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-mx4q-xxc9-pf5q	Sylius Vulnerable to Authenticated Stored XSS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q

History

Wed, 11 Mar 2026 19:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:sylius:sylius::::::::

Wed, 11 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sylius Sylius sylius
Vendors & Products		Sylius Sylius sylius

Tue, 10 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig \|raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Title		Sylius has Authenticated Stored XSS
Weaknesses		CWE-79
References		https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Sylius Sylius

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-10T21:29:13.828Z

Updated: 2026-03-11T15:59:42.607Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31823

Vulnrichment

Updated: 2026-03-11T15:51:59.289Z

NVD

Status : Analyzed

Published: 2026-03-10T22:16:19.973

Modified: 2026-03-11T19:31:00.943

Link: CVE-2026-31823

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object