Vendor CVEs
Sylius
All CVEs
24 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-30152 | Med | 0.35 | 6.5 | 0.00 | Mar 19, 2025 | The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user… | ||
| CVE-2025-29788 | Med | 0.35 | 6.5 | 0.00 | Mar 17, 2025 | The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their… | ||
| CVE-2024-40633 | Med | 0.27 | 5.3 | 0.00 | Jul 17, 2024 | Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid… | ||
| CVE-2024-34349 | Med | 0.24 | 4.8 | 0.00 | May 14, 2024 | Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or… | ||
| CVE-2026-31825 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The… | |||
| CVE-2026-31824 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion… | |||
| CVE-2026-31823 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs… | |||
| CVE-2026-31822 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response… | |||
| CVE-2026-31821 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who… | |||
| CVE-2026-31820 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by… | |||
| CVE-2026-31819 | 0.00 | — | 0.00 | Mar 10, 2026 | Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to… | |||
| CVE-2024-57610 | 0.00 | — | 0.01 | Feb 6, 2025 | A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core… | |||
| CVE-2021-3841 | 0.00 | — | 0.00 | Nov 15, 2024 | sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser. | |||
| CVE-2024-29376 | 0.00 | — | 0.00 | Apr 22, 2024 | Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book. | |||
| CVE-2022-24752 | 0.00 | — | 0.01 | Mar 15, 2022 | SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took… | |||
| CVE-2022-24749 | 0.00 | — | 0.01 | Mar 14, 2022 | Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or… | |||
| CVE-2022-24743 | 0.00 | — | 0.01 | Mar 14, 2022 | Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password… | |||
| CVE-2022-24742 | 0.00 | — | 0.01 | Mar 14, 2022 | Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must… | |||
| CVE-2022-24733 | 0.00 | — | 0.01 | Mar 14, 2022 | Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target… | |||
| CVE-2021-41120 | 0.00 | — | 0.01 | Oct 5, 2021 | sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the… | |||
| CVE-2021-32720 | 0.00 | — | 0.01 | Jun 28, 2021 | Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few… | |||
| CVE-2020-15245 | 0.00 | — | 0.01 | Oct 19, 2020 | In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were… | |||
| CVE-2020-5218 | 0.00 | — | 0.01 | Jan 27, 2020 | Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the… | |||
| CVE-2019-16768 | 0.00 | — | 0.01 | Dec 5, 2019 | In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may… |
- risk 0.35cvss 6.5epss 0.00
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user…
- risk 0.35cvss 6.5epss 0.00
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their…
- risk 0.27cvss 5.3epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid…
- risk 0.24cvss 4.8epss 0.00
Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or…
- CVE-2026-31825Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The…
- CVE-2026-31824Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion…
- CVE-2026-31823Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs…
- CVE-2026-31822Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response…
- CVE-2026-31821Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who…
- CVE-2026-31820Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by…
- CVE-2026-31819Mar 10, 2026risk 0.00cvss —epss 0.00
Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to…
- CVE-2024-57610Feb 6, 2025risk 0.00cvss —epss 0.01
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core…
- CVE-2021-3841Nov 15, 2024risk 0.00cvss —epss 0.00
sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.
- CVE-2024-29376Apr 22, 2024risk 0.00cvss —epss 0.00
Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the "Province" field in Address Book.
- CVE-2022-24752Mar 15, 2022risk 0.00cvss —epss 0.01
SyliusGridBundle is a package of generic data grids for Symfony applications. Prior to versions 1.10.1 and 1.11-rc2, values added at the end of query sorting were passed directly to the database. The maintainers do not know if this could lead to direct SQL injections but took…
- CVE-2022-24749Mar 14, 2022risk 0.00cvss —epss 0.01
Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scripting (XSS) code in the admin panel. In order to perform a XSS attack, the file itself has to be open in a new card or…
- CVE-2022-24743Mar 14, 2022risk 0.00cvss —epss 0.01
Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed. The same token could be used several times, which could result in leak of the existing token and unauthorized password…
- CVE-2022-24742Mar 14, 2022risk 0.00cvss —epss 0.01
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed after log out. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. The application must…
- CVE-2022-24733Mar 14, 2022risk 0.00cvss —epss 0.01
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target…
- CVE-2021-41120Oct 5, 2021risk 0.00cvss —epss 0.01
sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id (/pay-with-paypal/{id}) and therefore it was easy to predict. The problem is that the…
- CVE-2021-32720Jun 28, 2021risk 0.00cvss —epss 0.01
Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few…
- CVE-2020-15245Oct 19, 2020risk 0.00cvss —epss 0.01
In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.com and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were…
- CVE-2020-5218Jan 27, 2020risk 0.00cvss —epss 0.01
Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no sylius_channel.debug is set explicitly in the…
- CVE-2019-16768Dec 5, 2019risk 0.00cvss —epss 0.01
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may…