Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter report user‑supplied order direction values directly to Doctrine’s orderBy() without any validation. This allows an attacker to inject arbitrary DQL which can be executed against the database. The consequence is that non‑privileged input can compel the application to run unintended database statements, potentially exposing private data, tampering with data, or disrupting service. The flaw is classified as CWE‑89 and CWE‑943. Based on the description, the attack vector is inferred to be through external API calls, and the impact is inferred from the ability to execute arbitrary query language statements which can compromise confidentiality, integrity, or availability.

The vulnerability affects the Sylius eCommerce framework. Versions prior to the following fixes are vulnerable: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and earlier. All later releases carry the patch.

The CVSS score is 5.3, indicating a moderate severity. EPSS is below 1%, implying a low likelihood of exploitation at this time, and the vulnerability is not included in the CISA KEV catalog. Attackers would need to craft a malicious API request to the affected order‑filter endpoints; no additional local privilege or exploitation of other components is required. Based on the description, the attack vector is inferred as an externally reachable API endpoint, and the potential impact is inferred from the arbitrary DQL execution, which could be leveraged to read, modify or delete data from the database, subject to the business logic and other security controls in place.