Cross-Site Scripting Vulnerability in Sylius eCommerce Framework
CVE-2026-31822

5.3MEDIUM

Key Information:

Vendor: Sylius
Status: Sylius
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31822?

The Sylius eCommerce framework, built on Symfony, has a cross-site scripting (XSS) weakness in the shop checkout login form managed by the ApiLoginController Stimulus controller. Specifically, when a login fails, the AuthenticationFailureHandler generates a JSON response that improperly inserts the message into the DOM using innerHTML. This flaw permits the execution of arbitrary HTML or JavaScript, posing a risk to users' security. The vulnerability has been addressed in versions 2.0.16, 2.1.12, and 2.2.3 and above.

Affected Version(s)

Sylius >= 2.2.0, < 2.2.3 < 2.2.0, 2.2.3

Sylius >= 2.1.0, < 2.1.12 < 2.1.0, 2.1.12

Sylius >= 2.0.0, < 2.0.16 < 2.0.0, 2.0.16

References

https://github.com/Sylius/Sylius/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31822 Data

JSON