CVE-2026-31822

MEDIUM

Sylius <2.0.16, 2.1.12, 2.2.3 - XSS

Title source: llm

Description

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Sylius/Sylius/security/advisories/GHSA-vgh8-c6fp-7gcg

Scores

CVSS v3 6.1

EPSS 0.0018

EPSS Percentile 7.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

sylius/sylius 2.0.0 - 2.0.16Packagist

sylius/sylius 2.0.0 - 2.0.16

Published Mar 10, 2026

Tracked Since Mar 11, 2026