Cross-Site Scripting Vulnerability in Sylius eCommerce Framework
CVE-2026-31823

4.8MEDIUM

Key Information:

Vendor: Sylius
Status: Sylius
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-31823?

An authenticated stored cross-site scripting (XSS) vulnerability has been identified in the Sylius eCommerce Framework. This issue arises from unsanitized entity names being rendered as raw HTML within various components of the application, including the shop frontend and admin panel. Attackers can exploit this vulnerability by injecting malicious JavaScript into taxon names, product names, and other entity labels, which are then executed in the context of users visiting the site. For instance, the breadcrumbs macro improperly uses the Twig |raw filter, allowing attackers to craft harmful inputs that lead to script execution. Similarly, the admin product taxon picker and autocomplete fields facilitate the injection of unsafe HTML and JavaScript, compromising the system's security. Administrators are urged to update to the latest versions to mitigate these risks.

Affected Version(s)

Sylius >= 2.2.0, < 2.2.3 < 2.2.0, 2.2.3

Sylius >= 2.1.0, < 2.1.12 < 2.1.0, 2.1.12

Sylius >= 2.0.0, < 2.0.16 < 2.0.0, 2.0.16

References

https://github.com/Sylius/Sylius/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31823 Data

JSON