Skip to main content

Sylius

18 CVEs product

Monthly

CVE-2026-31825 PHP MEDIUM PATCH This Month

Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 are vulnerable to DQL injection through the ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter API endpoints, which fail to validate user-supplied order direction parameters before passing them to Doctrine. An unauthenticated remote attacker can inject arbitrary DQL queries to read sensitive data from the application database. No patch is currently available for this medium-severity vulnerability.

SQLi Sylius
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31824 PHP HIGH PATCH This Week

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where concurrent requests can bypass redemption restrictions by exploiting a gap between eligibility validation and usage increment operations. An unauthenticated attacker can exploit this TOCTOU vulnerability to redeem promotions or coupons beyond their configured usage limits, potentially causing financial loss through unintended discounts. No patch is currently available.

Race Condition Sylius
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-31823 PHP MEDIUM PATCH This Month

Stored XSS vulnerabilities in Sylius allow authenticated attackers with high privileges to inject malicious scripts through unsanitized entity names (taxons, products) that are rendered as raw HTML in breadcrumbs and admin interfaces. An attacker could craft malicious product or category names to execute arbitrary JavaScript in the browsers of shop visitors and administrators, potentially leading to session hijacking or credential theft. No patch is currently available for this medium-severity vulnerability.

XSS Sylius
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-31822 PHP MEDIUM PATCH This Month

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentication error messages that are unsafely rendered via innerHTML. An attacker can craft a failed login attempt containing JavaScript payload that executes in the browser of any user viewing the checkout page, potentially stealing session tokens or credentials. The vulnerability affects Sylius versions prior to 2.0.16, 2.1.12, and 2.2.3, with no current patch available for older releases.

XSS Sylius
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31821 PHP MEDIUM PATCH This Month

Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to add items to other customers' shopping carts if they possess a valid cart token value. This integrity flaw affects registered users whose carts can be manipulated by external threat actors, potentially leading to fraudulent transactions or operational disruption. The vulnerability is unpatched in versions prior to 2.0.16, 2.1.12, and 2.2.3.

Authentication Bypass Sylius
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31820 PHP MEDIUM PATCH This Month

Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated resource IDs in LiveComponent parameters, including checkout addresses and shopping carts. The vulnerability exists because LiveArg parameters lack ownership validation when loading resources by ID, allowing attackers to enumerate and retrieve private information such as names, contact details, and order information without proper authorization checks.

Authentication Bypass Sylius
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-31819 PHP MEDIUM PATCH This Month

Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitrary domains by manipulating the HTTP Referer header through multiple controllers, enabling phishing and credential theft attacks when victims click malicious links from attacker-controlled sites. Public endpoints are trivially exploitable without authentication, while admin endpoints require an authenticated session but remain vulnerable if administrators follow external links. No patch is currently available for this medium-severity flaw.

Open Redirect Sylius
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-57610 HIGH POC This Week

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Sylius
NVD GitHub
CVSS 3.1
7.5
EPSS
9.7%
CVE-2024-29376 PHP MEDIUM POC PATCH This Month

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sylius
NVD GitHub
CVSS 3.1
6.4
EPSS
0.4%
CVE-2022-24749 PHP MEDIUM POC PATCH This Month

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sylius
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-24743 PHP HIGH POC PATCH This Week

Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Sylius
NVD GitHub
CVSS 3.1
8.2
EPSS
1.2%
CVE-2022-24742 PHP MEDIUM PATCH This Month

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sylius
NVD GitHub
CVSS 3.1
5.5
EPSS
0.8%
CVE-2022-24733 PHP MEDIUM PATCH This Month

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Sylius
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-32720 PHP MEDIUM PATCH This Month

Sylius is an Open Source eCommerce platform on top of Symfony. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sylius
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2020-15245 PHP MEDIUM PATCH This Month

In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Sylius
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2020-5218 PHP MEDIUM PATCH This Month

Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Sylius
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2019-12186 PHP MEDIUM PATCH This Month

An issue was discovered in Sylius products. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Grid Sylius
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2019-16768 PHP MEDIUM PATCH This Month

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sylius
NVD GitHub
CVSS 3.1
4.3
EPSS
0.7%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sylius eCommerce Framework versions prior to 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 are vulnerable to DQL injection through the ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter API endpoints, which fail to validate user-supplied order direction parameters before passing them to Doctrine. An unauthenticated remote attacker can inject arbitrary DQL queries to read sensitive data from the application database. No patch is currently available for this medium-severity vulnerability.

SQLi Sylius
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Sylius eCommerce Framework is vulnerable to a race condition in promotion and coupon usage limit enforcement, where concurrent requests can bypass redemption restrictions by exploiting a gap between eligibility validation and usage increment operations. An unauthenticated attacker can exploit this TOCTOU vulnerability to redeem promotions or coupons beyond their configured usage limits, potentially causing financial loss through unintended discounts. No patch is currently available.

Race Condition Sylius
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS vulnerabilities in Sylius allow authenticated attackers with high privileges to inject malicious scripts through unsanitized entity names (taxons, products) that are rendered as raw HTML in breadcrumbs and admin interfaces. An attacker could craft malicious product or category names to execute arbitrary JavaScript in the browsers of shop visitors and administrators, potentially leading to session hijacking or credential theft. No patch is currently available for this medium-severity vulnerability.

XSS Sylius
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Sylius checkout login form allows unauthenticated attackers to inject malicious scripts through authentication error messages that are unsafely rendered via innerHTML. An attacker can craft a failed login attempt containing JavaScript payload that executes in the browser of any user viewing the checkout page, potentially stealing session tokens or credentials. The vulnerability affects Sylius versions prior to 2.0.16, 2.1.12, and 2.2.3, with no current patch available for older releases.

XSS Sylius
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sylius eCommerce framework's cart API endpoint fails to validate cart ownership, allowing unauthenticated attackers to add items to other customers' shopping carts if they possess a valid cart token value. This integrity flaw affects registered users whose carts can be manipulated by external threat actors, potentially leading to fraudulent transactions or operational disruption. The vulnerability is unpatched in versions prior to 2.0.16, 2.1.12, and 2.2.3.

Authentication Bypass Sylius
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated users in Sylius eCommerce can access sensitive customer data belonging to other users through unvalidated resource IDs in LiveComponent parameters, including checkout addresses and shopping carts. The vulnerability exists because LiveArg parameters lack ownership validation when loading resources by ID, allowing attackers to enumerate and retrieve private information such as names, contact details, and order information without proper authorization checks.

Authentication Bypass Sylius
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Open redirect vulnerabilities in Sylius eCommerce Framework allow unauthenticated attackers to redirect users to arbitrary domains by manipulating the HTTP Referer header through multiple controllers, enabling phishing and credential theft attacks when victims click malicious links from attacker-controlled sites. Public endpoints are trivially exploitable without authentication, while admin endpoints require an authenticated session but remain vulnerable if administrators follow external links. No patch is currently available for this medium-severity flaw.

Open Redirect Sylius
NVD GitHub VulDB
EPSS 10% CVSS 7.5
HIGH POC This Week

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Sylius
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sylius
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sylius
NVD GitHub
EPSS 1% CVSS 8.2
HIGH POC PATCH This Week

Sylius is an open source eCommerce platform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Sylius
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sylius
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Sylius is an open source eCommerce platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Sylius
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Sylius is an Open Source eCommerce platform on top of Symfony. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sylius
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Sylius
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Sylius
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

An issue was discovered in Sylius products. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Grid Sylius
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Sylius
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy