SB20260427165 - Multiple vulnerabilities in Sylius
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Open redirect (CVE-ID: CVE-2026-31819)
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to open redirect in CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle() when using the HTTP Referer header for redirects. A remote attacker can place a legitimate application link on an attacker-controlled page to redirect users to an untrusted site.
User interaction is required, and the admin impersonation endpoint is only reachable by an authenticated admin session while the other affected endpoints are public.
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-31820)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in shop LiveComponents when processing user-supplied #[LiveArg] resource identifiers. A remote user can supply a crafted addressId or cartId value to disclose sensitive information.
The issue affects the checkout address FormComponent addressFieldUpdated action and the cart WidgetComponent and SummaryComponent refreshCart actions. The cart-related exposure can include data from completed orders because active carts and completed orders share the same ID space.
3) Missing Authorization (CVE-ID: CVE-2026-31821)
The vulnerability allows a remote attacker to modify another customer's cart and disclose sensitive information.
The vulnerability exists due to missing authorization in the API v2 add item endpoint when handling POST requests to /api/v2/shop/orders/{tokenValue}/items. A remote attacker can send a specially crafted request with a known cart tokenValue to modify another customer's cart and disclose sensitive information.
The endpoint response may include the full cart representation, including customer email address, cart contents, address data, payment and shipment IDs, order totals, tax breakdown, and checkout state.
4) Cross-site scripting (CVE-ID: CVE-2026-31822)
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to cross-site scripting in the ApiLoginController Stimulus controller when rendering the authentication failure message into the DOM using innerHTML. A remote attacker can cause malicious HTML or JavaScript to be included in the message field to execute arbitrary script in the victim's browser.
The issue affects the default shop checkout login form, and exploitation may depend on customized authentication handlers, untrusted translation sources, intercepted responses, or modified JSON response bodies.
5) Cross-site scripting (CVE-ID: CVE-2026-31823)
The vulnerability allows a remote user to inject arbitrary HTML or JavaScript.
The vulnerability exists due to improper neutralization of input during web page generation in entity name rendering across the shop frontend and admin panel when rendering unsanitized entity names as raw HTML. A remote privileged user can supply a crafted entity name to inject arbitrary HTML or JavaScript.
User interaction is required for a victim to view the affected storefront or admin interface content.
6) Improper Neutralization of Special Elements in Data Query Logic (CVE-ID: CVE-2026-31825)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements in data query logic in ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter when handling API order filter parameters. A remote attacker can send a specially crafted request to disclose sensitive information.
The issue affects API routes and involves user-supplied order direction values being passed directly to Doctrine's orderBy().
7) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-31824)
The vulnerability allows a remote attacker to bypass promotion and coupon usage limits.
The vulnerability exists due to a time-of-check time-of-use race condition in promotion usage limit enforcement when completing orders through concurrent API requests. A remote attacker can send simultaneous PATCH requests to redeem a limited-use promotion or coupon multiple times.
The same race condition affects the global promotion usage counter, the global coupon usage counter, and the per-customer coupon redemption count.
Remediation
Install update from vendor's website.
References
- https://github.com/Sylius/Sylius/security/advisories/GHSA-9ffx-f77r-756w
- https://github.com/advisories/GHSA-9ffx-f77r-756w
- https://github.com/Sylius/Sylius/security/advisories/GHSA-2xc6-348p-c2x6
- https://github.com/advisories/GHSA-2xc6-348p-c2x6
- https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg
- https://github.com/advisories/GHSA-wjmg-4cq5-m8hg
- https://github.com/Sylius/Sylius/security/advisories/GHSA-vgh8-c6fp-7gcg
- https://github.com/advisories/GHSA-vgh8-c6fp-7gcg
- https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q
- https://github.com/advisories/GHSA-mx4q-xxc9-pf5q
- https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m
- https://github.com/advisories/GHSA-xcwx-r2gw-w93m
- https://github.com/Sylius/Sylius/security/advisories/GHSA-7mp4-25j8-hp5q
- https://github.com/advisories/GHSA-7mp4-25j8-hp5q