Sylius has Authenticated Stored XSS

Vulnerability

Overview

CVE-2026-31823 describes a stored cross-site scripting (XSS) vulnerability in the Sylius eCommerce framework (Symfony-based). The root cause is that entity names (e.g., taxon names, product names) are rendered as raw HTML without proper sanitization in several locations across both the shop frontend and administrator panel. Specifically, the Twig |raw filter in the breadcrumbs template (shared/breadcrumbs.html.twig), JavaScript template literals in the admin product taxon picker (ProductTaxonTreeController.js), and autocomplete dropdowns all fail to escape entity names before insertion into the DOM [1][2].

Exploitation

An authenticated administrator can supply a malicious entity name — such as a taxon name containing `` — which is then persistently stored and rendered as HTML without escaping. This injected JavaScript executes in the browsers of all subsequent users viewing the affected pages, including the storefront breadcrumbs, the admin product taxon tree picker, and any autocomplete fields displaying entity names. No additional authentication is required for victims beyond normal browsing [1][2].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of any user's session. This can lead to session hijacking, defacement, or phishing attacks within the application. Because the injected script is stored and served to all users, the attack can propagate to administrators, shop customers, and other staff without requiring direct interaction with the attacker [1][2].

Mitigation

Sylius has released fixes in versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above. The vendor also provides workarounds that involve overriding vulnerable templates and JavaScript controllers at the project level, with example patches available in the advisory. Users are strongly advised to update to a patched version or apply the provided workarounds [2].