Sylius has Authenticated Stored XSS
Description
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-mx4q-xxc9-pf5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31823ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.