CVE-2026-31819

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.9.12 Sylius versions prior to 1.10.16 Sylius versions prior to 1.11.17 Sylius versions prior to 1.12.23 Sylius versions prior to 1.13.15 Sylius versions prior to 1.14.18 Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3

Description Sylius, an Open Source eCommerce Framework on Symfony, is susceptible to a redirect issue due to the direct use of the HTTP Referer header in CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle() when performing redirects. An attacker can exploit this by tricking a user into clicking a legitimate application link hosted on a malicious website. The browser then sends the attacker’s site as the Referer, causing the application to redirect back to it. This can lead to phishing or credential theft, as the redirect appears to originate from a trusted domain. Public endpoints are easily exploitable without authentication, while admin-only endpoints require an authenticated session but are still vulnerable if an administrator follows a link from an external source.

Recommendations Versions prior to 1.9.12 should be updated to version 1.9.12 or later. Versions prior to 1.10.16 should be updated to version 1.10.16 or later. Versions prior to 1.11.17 should be updated to version 1.11.17 or later. Versions prior to 1.12.23 should be updated to version 1.12.23 or later. Versions prior to 1.13.15 should be updated to version 1.13.15 or later. Versions prior to 1.14.18 should be updated to version 1.14.18 or later. Versions prior to 2.0.16 should be updated to version 2.0.16 or later. Versions prior to 2.1.12 should be updated to version 2.1.12 or later. Versions prior to 2.2.3 should be updated to version 2.2.3 or later.