Sylius CVE-2026-31822
MEDIUM
GHSA-vgh8-c6fp-7gcg
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
AnalysisAI
Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentication error messages that are unsafely rendered via innerHTML. An attacker can craft a failed login attempt containing JavaScript payload that executes in the browser of any user viewing the checkout page, potentially stealing session tokens or credentials. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today