VYPR
Moderate severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

Sylius has a DQL Injection via API Order Filters

CVE-2026-31825

Description

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sylius/syliusPackagist
< 1.9.121.9.12
sylius/syliusPackagist
>= 1.10.0, < 1.10.161.10.16
sylius/syliusPackagist
>= 1.11.0, < 1.11.171.11.17
sylius/syliusPackagist
>= 1.12.0, < 1.12.231.12.23
sylius/syliusPackagist
>= 1.13.0, < 1.13.151.13.15
sylius/syliusPackagist
>= 1.14.0, < 1.14.181.14.18
sylius/syliusPackagist
>= 2.0.0, < 2.0.162.0.16
sylius/syliusPackagist
>= 2.1.0, < 2.1.122.1.12
sylius/syliusPackagist
>= 2.2.0, < 2.2.32.2.3

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.