CVE-2026-31825

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

EUVD-2026-10922

Sylius has a DQL Injection via API Order Filters...

EUVD-2026-10916

Sylius has a XSS vulnerability in checkout login form...

EUVD-2026-10915

Sylius is Missing Authorization in API v2 Add Item Endpoint...

EUVD-2026-10913

Sylius affected by IDOR in Cart and Checkout LiveComponents...

EUVD-2026-10911

Sylius has an Open Redirect via Referer Header...

CVE-2026-31825

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31825

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy without validation. An attacker can inject arbitrary DQL. The issue is fixed in...

CVE-2026-31824 Sylius has a Promotion Usage Limit Bypass via Race Condition

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819

Sylius (Open Source eCommerce Framework on Symfony) has a referer-based redirect issue in CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction, and StorageBasedLocaleSwitcher::handle. The vulnerability arises when a victim clicks a link on an attacker-controlled pa...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

GHSA-2HJH-495W-HMXC Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts

Withdrawn Advisory This advisory has been withdrawn because it is not a vulnerability in the Sylius framework. This link is maintained to preserve external references. Original Description A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks ...