← Retour aux CVEs
CVE-2026-31822
MEDIUM6.1
Description
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Details CVE
Score CVSS v3.16.1
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie3/10/2026
Derniere modification3/11/2026
Sourcenvd
Observations honeypot0
Produits affectes
sylius:sylius
Faiblesses (CWE)
CWE-79
References
https://github.com/Sylius/Sylius/security/advisories/GHSA-vgh8-c6fp-7gcg(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.