Sylius has a XSS vulnerability in checkout login form
Description
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylius checkout login form improperly uses innerHTML to render JSON error messages, permitting persistent XSS under several realistic conditions.
Vulnerability
Overview
CVE-2026-31822 is a cross-site scripting (XSS) vulnerability in the Sylius eCommerce framework affecting the shop checkout login form. The root cause is that the AuthenticationFailureHandler returns a JSON response whose message field is injected into the Document Object Model (DOM) using innerHTML [2]. This direct assignment of server-returned content to innerHTML violates defense-in-depth principles by allowing any HTML or JavaScript present in the message value to be parsed and executed by the browser [1][2].
Attack
Vector and Exploitation
The message value originates from AuthenticationException::getMessageKey(), passed through Symfony's translator using the request locale. In a default Sylius installation, this string is a hardcoded translation key (e.g., "Invalid credentials.") and is not directly user-controlled [2]. However, the risk escalates significantly under several realistic scenarios: if a project overrides the authentication handler to include user-supplied data (e.g., a custom message like "No account found for {username}"), if translation files are sourced from an untrusted database or CMS, if a Man-in-the-Middle (MitM) attacker intercepts the HTTP response, or if any middleware or reverse proxy modifies the JSON body [2]. No privileged access or authentication is required to trigger the vulnerability—an attacker can simply submit crafted credentials to the checkout login endpoint [2].
Impact
Successful exploitation could lead to session hijacking, credential theft, cart or order manipulation, or phishing attacks within the trusted shop domain [2]. Because the injected script executes in the context of the legitimate e-commerce site, an attacker can silently exfiltrate sensitive data entered by the victim on subsequent pages.
Mitigation and
Remediation
The Sylius project has released patches in versions 2.0.16, 2.1.12, and 2.2.3 that fix the vulnerability by avoiding the use of innerHTML for rendering the error message [1][2]. Users are strongly advised to upgrade to one of the patched versions. As a workaround, site administrators can override the vulnerable JavaScript controller (ApiLoginController.js) at the project level to sanitize or safely insert the message content [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2- Sylius/Syliusv5Range: >= 2.2.0, < 2.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vgh8-c6fp-7gcgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31822ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-vgh8-c6fp-7gcgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.