Open redirect in Sylius - CVE-2026-31819
Published: April 27, 2026
Vulnerability identifier: #VU128214
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-31819
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sylius
Affected software:
Sylius
Sylius
Detailed vulnerability description
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to open redirect in CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle() when using the HTTP Referer header for redirects. A remote attacker can place a legitimate application link on an attacker-controlled page to redirect users to an untrusted site.
User interaction is required, and the admin impersonation endpoint is only reachable by an authenticated admin session while the other affected endpoints are public.
How to mitigate CVE-2026-31819
Install security update from vendor's website.