CVE-2026-31822
Last modified
CVE-2026-31822 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. EPSS estimates a 0.18% chance of exploitation in the next 30 days.
Description
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sylius | Sylius | >= 2.0.0, < 2.0.16 |
| Sylius | Sylius | >= 2.1.0, < 2.1.12 |
| Sylius | Sylius | >= 2.2.0, < 2.2.3 |
References
- https://github.com/Sylius/Sylius/security/advisories/GHSA-vgh8-c6fp-7gcgMitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-31822?
How severe is CVE-2026-31822?
How do I fix CVE-2026-31822?
Are you affected by CVE-2026-31822?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST