Sylius has a DQL Injection via API Order Filters
Description
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylius API filters lack input validation for order direction, allowing DQL injection via crafted order parameters.
The Sylius eCommerce framework's API filters, specifically ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter, pass user-supplied order direction values directly to Doctrine's orderBy() method without any validation. This oversight enables an attacker to inject arbitrary DQL (Doctrine Query Language) by providing malicious order direction strings [1][2].
Exploitation is straightforward: an unauthenticated attacker sends a crafted HTTP GET request to the API endpoint, such as /api/v2/shop/products?order[price]=ASC,%20variant.code%20DESC. The injected DQL is appended to the query, allowing the attacker to manipulate the database query beyond intended parameters [2]. No special privileges are required; the vulnerable filters are part of the public API.
Successful DQL injection can lead to unauthorized data exposure or query manipulation. An attacker may be able to retrieve sensitive information from the database or alter the query logic to access data that should be restricted [1]. The impact is considered critical, as it compromises the confidentiality and integrity of the eCommerce platform's data.
The vulnerability has been patched in multiple Sylius versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3, and later. For those unable to update immediately, a workaround is available: implement an EventSubscriber that sanitizes order query parameters on API routes before they reach the vulnerable filters [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | < 1.9.12 | 1.9.12 |
sylius/syliusPackagist | >= 1.10.0, < 1.10.16 | 1.10.16 |
sylius/syliusPackagist | >= 1.11.0, < 1.11.17 | 1.11.17 |
sylius/syliusPackagist | >= 1.12.0, < 1.12.23 | 1.12.23 |
sylius/syliusPackagist | >= 1.13.0, < 1.13.15 | 1.13.15 |
sylius/syliusPackagist | >= 1.14.0, < 1.14.18 | 1.14.18 |
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2- Sylius/Syliusv5Range: >= 2.2.0, < 2.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-xcwx-r2gw-w93mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31825ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.