Skip to main content

Sylius CVE-2026-31825

MEDIUM
SQL Injection (CWE-89)
2026-03-10 security-advisories@github.com GHSA-xcwx-r2gw-w93m
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 22:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

AnalysisAI

Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 are vulnerable to DQL injection through the ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter API endpoints, which fail to validate user-supplied order direction parameters before passing them to Doctrine. An unauthenticated remote attacker can inject arbitrary DQL queries to read sensitive data from the application database. No patch is currently available for this medium-severity vulnerability.

Technical ContextAI

Classified as CWE-89 (SQL Injection). Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

More in Sylius

View all
CVE-2024-57610 HIGH POC
7.5 Feb 06

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user acco

CVE-2022-24743 HIGH POC
8.2 Mar 14

Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable,

CVE-2024-29376 MEDIUM POC
6.4 Apr 22

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severi

CVE-2022-24749 MEDIUM POC
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2026-31824 HIGH
8.2 Mar 10

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where conc

CVE-2026-31820 MEDIUM
6.5 Mar 10

Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated

CVE-2026-31819 MEDIUM
6.1 Mar 10

Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitra

CVE-2026-31822 MEDIUM
6.1 Mar 10

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentica

CVE-2022-24733 MEDIUM
6.1 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitabl

CVE-2022-24742 MEDIUM
5.5 Mar 14

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication r

CVE-2026-31821 MEDIUM
5.3 Mar 10

Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to a

CVE-2021-32720 MEDIUM
5.3 Jun 28

Sylius is an Open Source eCommerce platform on top of Symfony. Rated medium severity (CVSS 5.3), this vulnerability is r

Share

CVE-2026-31825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy