Main Vulnerability Database Vulnerabilities #VU128217

Cross-site scripting in Sylius - CVE-2026-31822

Published: April 27, 2026

Vulnerability identifier: #VU128217

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-31822

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Sylius

Affected software:
Sylius

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the ApiLoginController Stimulus controller when rendering the authentication failure message into the DOM using innerHTML. A remote attacker can cause malicious HTML or JavaScript to be included in the message field to execute arbitrary script in the victim's browser.

The issue affects the default shop checkout login form, and exploitation may depend on customized authentication handlers, untrusted translation sources, intercepted responses, or modified JSON response bodies.

How to mitigate CVE-2026-31822

Install security update from vendor's website.

Cross-site scripting in Sylius - CVE-2026-31822

Detailed vulnerability description

How to mitigate CVE-2026-31822

Sources

Please verify you're human