CVE-2026-31822
Published: Mar 10, 2026
Modified: Mar 11, 2026
Description
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
| Vendor | Product | Versions |
|---|---|---|
Sylius | Sylius | affected >= 2.2.0, < 2.2.3affected >= 2.1.0, < 2.1.12affected >= 2.0.0, < 2.0.16 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now