CVE-2026-31822

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3

Description Sylius, an Open Source eCommerce Framework on Symfony, contains a cross-site scripting (XSS) issue in the shop checkout login form. The ApiLoginController Stimulus controller handles the vulnerability. When a login attempt fails, the AuthenticationFailureHandler returns a JSON response. The message field within this response is rendered into the Document Object Model (DOM) using innerHTML, which allows any HTML or JavaScript present in the value to be parsed and executed by the browser.

Recommendations Update Sylius to version 2.0.16 or later. Update Sylius to version 2.1.12 or later. Update Sylius to version 2.2.3 or later.