2 matches found
EUVD-2026-10923
Sylius has a DQL Injection via API Order Filters...
Sylius has a DQL Injection via API Order Filters
Impact Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL: GET /api/v2/shop/products?orderprice=ASC,%20variant.code%20DESC Patches The...