CVE-2026-31825

Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12 through 1.11.17 Sylius versions 1.12.23 through 1.13.15 Sylius versions 1.14.18 through 2.0.16 Sylius versions 2.1.12 through 2.2.3

Description Sylius is an Open Source eCommerce Framework on Symfony. The ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter API filters do not validate user-supplied order direction values before passing them to Doctrine's orderBy() function, allowing for arbitrary DQL injection. The filters pass the order direction directly to the orderBy() function without proper sanitization. This could allow an attacker to manipulate database queries.

Recommendations Update to Sylius version 1.9.12 or later. Update to Sylius version 1.10.16 or later. Update to Sylius version 1.11.17 or later. Update to Sylius version 1.12.23 or later. Update to Sylius version 1.13.15 or later. Update to Sylius version 1.14.18 or later. Update to Sylius version 2.0.16 or later. Update to Sylius version 2.1.12 or later. Update to Sylius version 2.2.3 or later.