PT-2026-24476 · Sylius · Sylius
Bartłomiej Nowiński
·
Published
2026-03-10
·
Updated
2026-03-11
·
CVE-2026-31822
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Sylius versions prior to 2.0.16
Sylius versions prior to 2.1.12
Sylius versions prior to 2.2.3
Description
Sylius, an Open Source eCommerce Framework on Symfony, contains a cross-site scripting (XSS) issue in the shop checkout login form. The
ApiLoginController Stimulus controller handles the vulnerability. When a login attempt fails, the AuthenticationFailureHandler returns a JSON response. The message field within this response is rendered into the Document Object Model (DOM) using innerHTML, which allows any HTML or JavaScript present in the value to be parsed and executed by the browser.Recommendations
Update Sylius to version 2.0.16 or later.
Update Sylius to version 2.1.12 or later.
Update Sylius to version 2.2.3 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sylius