← Voltar para CVEs
CVE-2026-31822
MEDIUM6.1
Descricao
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Detalhes CVE
Pontuacao CVSS v3.16.1
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado3/10/2026
Ultima modificacao3/11/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
sylius:sylius
Fraquezas (CWE)
CWE-79
Referencias
https://github.com/Sylius/Sylius/security/advisories/GHSA-vgh8-c6fp-7gcg(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.