GHSA-R2F4-FF2P-XC64 Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save

Description An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controlled composite index metadata and trigger unintended SQL execution in the backend. The vulnerable flow accepts compositeIndices from imported JSON, stores the values...

CVE-2026-31825

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

CVE-2026-33914

OpenEMR (prior to 8.0.0.3) contains a blind SQL injection in the PostCalendar categoriesUpdate function. The malsicious code uses the dels POST parameter, which is read via pnVarCleanFromInput() (HTML tags stripped only) and directly interpolated into a raw SQL DELETE statement executed by Doctri...

CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...

CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...

PT-2026-28144

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via...

Sylius has a DQL Injection via API Order Filters

Impact Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL: GET /api/v2/shop/products?orderprice=ASC,%20variant.code%20DESC Patches The...

EUVD-2026-10923

Sylius has a DQL Injection via API Order Filters...

EUVD-2026-10921

Sylius has a Promotion Usage Limit Bypass via Race Condition...

EUVD-2026-10920

Sylius has a Promotion Usage Limit Bypass via Race Condition...

Sylius has a Promotion Usage Limit Bypass via Race Condition

Impact A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects three independent limits: 1. Promotion usage limit - the global used counter on Promotion entities 2. Coupon usage limit - the global used...

CVE-2026-31825

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31825 Sylius has a DQL Injection via API Order Filters

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31825

Sylius (Open Source eCommerce framework on Symfony) has a vulnerability in API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter, where user-supplied order direction values are passed directly to Doctrine’s orderBy() without validation. This allows injection of arbitrary DQL...

CVE-2026-31825 Sylius has a DQL Injection via API Order Filters

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31824 Sylius has a Promotion Usage Limit Bypass via Race Condition

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

PT-2026-24479

Name of the Vulnerable Software and Affected Versions Sylius versions 1.9.12 through 1.11.17 Sylius versions 1.12.23 through 1.13.15 Sylius versions 1.14.18 through 2.0.16 Sylius versions 2.1.12 through 2.2.3 Description Sylius is an Open Source eCommerce Framework on Symfony. The...

EUVD-2021-2388

Malware in sbrugna...

EUVD-2011-1523

Malware in sbrugna...