CVE-2026-31823

Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12 through 2.2.3

Description Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated stored cross-site scripting (XSS) issue in multiple areas of the shop frontend and admin panel. This is due to unsanitized entity names being rendered as raw HTML. Specifically, the issue affects shop breadcrumbs (shared/breadcrumbs.html.twig), the admin product taxon picker (ProductTaxonTreeController.js), and admin autocomplete fields (Tom Select). A malicious entity name, such as a taxon name containing <img src=x onerror=alert('XSS')>, can be injected and executed as JavaScript. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names, which is then persistently rendered for all users. The vulnerable code interpolates data directly into HTML templates without proper escaping. The issue impacts the rendering of labels in breadcrumbs, the name variable in the admin taxon picker, and entity names displayed in autocomplete fields.

Recommendations Update to Sylius version 1.9.12 or later. Update to Sylius version 1.10.16 or later. Update to Sylius version 1.11.17 or later. Update to Sylius version 1.12.23 or later. Update to Sylius version 1.13.15 or later. Update to Sylius version 1.14.18 or later. Update to Sylius version 2.0.16 or later. Update to Sylius version 2.1.12 or later. Update to Sylius version 2.2.3 or later.