Vulnerability-Lookup

CVE-2026-31823 (GCVE-0-2026-31823)

Vulnerability from cvelistv5 – Published: 2026-03-10 21:29 – Updated: 2026-03-11 15:59

Title

Sylius has Authenticated Stored XSS

Summary

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/Sylius/Sylius/security/advisor…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Sylius	Sylius	Affected: >= 2.2.0, < 2.2.3 Affected: >= 2.1.0, < 2.1.12 Affected: >= 2.0.0, < 2.0.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31823",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T15:51:57.765230Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T15:59:42.607Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Sylius",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.1.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T21:29:13.828Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q"
        }
      ],
      "source": {
        "advisory": "GHSA-mx4q-xxc9-pf5q",
        "discovery": "UNKNOWN"
      },
      "title": "Sylius has Authenticated Stored XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31823",
    "datePublished": "2026-03-10T21:29:13.828Z",
    "dateReserved": "2026-03-09T17:41:56.077Z",
    "dateUpdated": "2026-03-11T15:59:42.607Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31823\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T22:16:19.973\",\"lastModified\":\"2026-03-11T19:31:00.943\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.\"},{\"lang\":\"es\",\"value\":\"Sylius es un marco de comercio electr\u00f3nico de c\u00f3digo abierto basado en Symfony. Existe una vulnerabilidad de tipo cross-site scripting (XSS) almacenada y autenticada en varios lugares del frontend de la tienda y del panel de administraci\u00f3n debido a que los nombres de las entidades no desinfectados se representan como HTML sin procesar. Migas de pan de la tienda (shared/breadcrumbs.html.twig): la macro de migas de pan utiliza el filtro Twig |raw en los valores de las etiquetas. Dado que los nombres de taxones, los nombres de productos y los nombres de antecesores fluyen directamente a estas etiquetas, un nombre de tax\u00f3n malicioso como  se representa y se ejecuta como JavaScript en la tienda. Selector de taxones de productos del administrador (ProductTaxonTreeController.js): El m\u00e9todo rowRenderer interpola ${name} directamente en una plantilla literal que crea HTML, lo que permite la inyecci\u00f3n de scripts a trav\u00e9s de los nombres de taxones en el panel de administraci\u00f3n. Campos de autocompletado del administrador (Tom Select): Los elementos y opciones desplegables representan los nombres de las entidades como HTML sin procesar sin escapar, lo que permite XSS a trav\u00e9s de cualquier campo de autocompletado que muestre nombres de entidades. Un administrador autenticado puede inyectar HTML o JavaScript arbitrario a trav\u00e9s de nombres de entidades (por ejemplo, nombre de tax\u00f3n) que se representan de forma persistente para todos los usuarios. El problema se ha solucionado en las versiones: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 y superiores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.0.16\",\"matchCriteriaId\":\"DA9449ED-A73A-4D16-A464-DBCBE24CA6A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.1.12\",\"matchCriteriaId\":\"F45888BF-720D-4B78-BA7D-ED7E5E091A8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.3\",\"matchCriteriaId\":\"9A2540B0-56B9-4B15-9876-BE908A80BB0A\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Sylius has Authenticated Stored XSS\", \"source\": {\"advisory\": \"GHSA-mx4q-xxc9-pf5q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"Sylius\", \"product\": \"Sylius\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.2.0, \u003c 2.2.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.1.0, \u003c 2.1.12\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.0.16\"}]}], \"references\": [{\"url\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q\", \"name\": \"https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T21:29:13.828Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31823\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T15:51:57.765230Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-11T15:51:59.289Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-31823\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T21:29:13.828Z\", \"dateReserved\": \"2026-03-09T17:41:56.077Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T21:29:13.828Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-MX4Q-XXC9-PF5Q

Vulnerability from github – Published: 2026-03-11 00:13 – Updated: 2026-03-11 20:33

Summary

Sylius Vulnerable to Authenticated Stored XSS

Details

Impact

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML.

Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront.

Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel.

Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names.

An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users.

Patches

The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Workarounds

Override vulnerable templates and JavaScript controllers at the project level.

Step 1 — Override shop breadcrumbs template

templates/bundles/SyliusShopBundle/shared/breadcrumbs.html.twig:

{% macro breadcrumbs(items) %}
    <ol class="breadcrumb" aria-label="breadcrumbs">
        {% for item in items %}
            <li class="breadcrumb-item fw-normal{{ item.active is defined and item.active ? ' active' }}">
                {% if item.path is defined %}
                    <a class="link-reset" href="{{ item.path }}" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}>{{ item.label }}</a>
                {% else %}
                    <span class="text-body-tertiary text-break" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}>{{ item.label }}</span>
                {% endif %}
            </li>
        {% endfor %}
    </ol>
{% endmacro %}

Step 2 — Override order breadcrumbs template

templates/bundles/SyliusShopBundle/account/order/show/content/breadcrumbs.html.twig:

{% from '@SyliusShop/shared/breadcrumbs.html.twig' import breadcrumbs as breadcrumbs %}

{% set order = hookable_metadata.context.order %}

<div class="col-12">
    {{ breadcrumbs([
        { label: 'sylius.ui.home'|trans, path: path('sylius_shop_homepage')},
        { label: 'sylius.ui.my_account'|trans, path: path('sylius_shop_account_dashboard')},
        { label: 'sylius.ui.order_history'|trans, path: path('sylius_shop_account_order_index')},
        { label: '#'~order.number, active: true, test_attribute: 'order-number' }
    ]) }}
</div>

Step 3 — Override ProductTaxonTreeController.js

Disable the vendor controller in assets/admin/controllers.json:

  "product-taxon-tree": {
-   "enabled": true,
+   "enabled": false,
    "fetch": "lazy"
  },

Create assets/admin/controllers/product_taxon_tree_controller.js — copy the original from vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Resources/assets/controllers/ProductTaxonTreeController.js and apply the following change:

+ const escapeHtml = (str) => {
+     const div = document.createElement('div');
+     div.textContent = str;
+     return div.innerHTML;
+ };

  // in rowRenderer:
- <span class="infinite-tree-title">${name}</span>
+ <span class="infinite-tree-title">${escapeHtml(name)}</span>

import ProductTaxonTreeController from './controllers/product_taxon_tree_controller';
app.register('sylius--admin-bundle--product-taxon-tree', ProductTaxonTreeController);

Step 4 — Add autocomplete XSS protection

assets/admin/scripts/autocomplete-xss-protection.js:

const escapeHtml = (str) => {
    if (typeof str !== 'string') return str;
    const div = document.createElement('div');
    div.textContent = str;
    return div.innerHTML;
};

document.addEventListener('autocomplete:pre-connect', (event) => {
    const options = event.detail.options;
    if (!options.render) return;

    const labelField = options.labelField || 'text';
    const wrapRenderer = (renderer) => {
        if (!renderer) return renderer;
        return (data, escape) => {
            const escaped = { ...data };
            if (escaped[labelField]) {
                escaped[labelField] = escapeHtml(escaped[labelField]);
            }
            return renderer(escaped, escape);
        };
    };

    if (options.render.item) options.render.item = wrapRenderer(options.render.item);
    if (options.render.option) options.render.option = wrapRenderer(options.render.option);
});

Import in assets/admin/entrypoint.js before bootstrap:

+ import './scripts/autocomplete-xss-protection';
  import './bootstrap.js';

Step 5 — Rebuild assets

yarn encore dev  # or: yarn encore production

Reporters

We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Djibril Mounkoro (@whiteov3rflow) - Bartłomiej Nowiński (@bnBart)

For more information

If you have any questions or comments about this advisory:

Open an issue in Sylius issues
Email us at security@sylius.com

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:13:20Z",
    "nvd_published_at": "2026-03-10T22:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML.\n\n**Shop breadcrumbs** (`shared/breadcrumbs.html.twig`): The `breadcrumbs` macro uses the Twig `|raw` filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like `\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e` is rendered and executed as JavaScript on the storefront.\n\n**Admin product taxon picker** (`ProductTaxonTreeController.js`): The `rowRenderer` method interpolates `${name}` directly into a template literal building HTML, allowing script injection through taxon names in the admin panel.\n\n**Admin autocomplete fields** (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names.\n\nAn **authenticated administrator** can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users.\n\n### Patches\n\nThe issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.\n\n### Workarounds\n\nOverride vulnerable templates and JavaScript controllers at the project level.\n\n---\n\n#### Step 1 \u2014 Override shop breadcrumbs template\n\n`templates/bundles/SyliusShopBundle/shared/breadcrumbs.html.twig`:\n\n```twig\n{% macro breadcrumbs(items) %}\n    \u003col class=\"breadcrumb\" aria-label=\"breadcrumbs\"\u003e\n        {% for item in items %}\n            \u003cli class=\"breadcrumb-item fw-normal{{ item.active is defined and item.active ? \u0027 active\u0027 }}\"\u003e\n                {% if item.path is defined %}\n                    \u003ca class=\"link-reset\" href=\"{{ item.path }}\" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}\u003e{{ item.label }}\u003c/a\u003e\n                {% else %}\n                    \u003cspan class=\"text-body-tertiary text-break\" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}\u003e{{ item.label }}\u003c/span\u003e\n                {% endif %}\n            \u003c/li\u003e\n        {% endfor %}\n    \u003c/ol\u003e\n{% endmacro %}\n```\n\n#### Step 2 \u2014 Override order breadcrumbs template\n\n`templates/bundles/SyliusShopBundle/account/order/show/content/breadcrumbs.html.twig`:\n\n```twig\n{% from \u0027@SyliusShop/shared/breadcrumbs.html.twig\u0027 import breadcrumbs as breadcrumbs %}\n\n{% set order = hookable_metadata.context.order %}\n\n\u003cdiv class=\"col-12\"\u003e\n    {{ breadcrumbs([\n        { label: \u0027sylius.ui.home\u0027|trans, path: path(\u0027sylius_shop_homepage\u0027)},\n        { label: \u0027sylius.ui.my_account\u0027|trans, path: path(\u0027sylius_shop_account_dashboard\u0027)},\n        { label: \u0027sylius.ui.order_history\u0027|trans, path: path(\u0027sylius_shop_account_order_index\u0027)},\n        { label: \u0027#\u0027~order.number, active: true, test_attribute: \u0027order-number\u0027 }\n    ]) }}\n\u003c/div\u003e\n```\n\n#### Step 3 \u2014 Override ProductTaxonTreeController.js\n\nDisable the vendor controller in `assets/admin/controllers.json`:\n\n```diff\n  \"product-taxon-tree\": {\n-   \"enabled\": true,\n+   \"enabled\": false,\n    \"fetch\": \"lazy\"\n  },\n```\n\nCreate `assets/admin/controllers/product_taxon_tree_controller.js` \u2014 copy the original from `vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Resources/assets/controllers/ProductTaxonTreeController.js` and apply the following change:\n\n```diff\n+ const escapeHtml = (str) =\u003e {\n+     const div = document.createElement(\u0027div\u0027);\n+     div.textContent = str;\n+     return div.innerHTML;\n+ };\n\n  // in rowRenderer:\n- \u003cspan class=\"infinite-tree-title\"\u003e${name}\u003c/span\u003e\n+ \u003cspan class=\"infinite-tree-title\"\u003e${escapeHtml(name)}\u003c/span\u003e\n```\n\nRegister the patched controller in `assets/admin/bootstrap.js`:\n\n```js\nimport ProductTaxonTreeController from \u0027./controllers/product_taxon_tree_controller\u0027;\napp.register(\u0027sylius--admin-bundle--product-taxon-tree\u0027, ProductTaxonTreeController);\n```\n\n#### Step 4 \u2014 Add autocomplete XSS protection\n\n`assets/admin/scripts/autocomplete-xss-protection.js`:\n\n```js\nconst escapeHtml = (str) =\u003e {\n    if (typeof str !== \u0027string\u0027) return str;\n    const div = document.createElement(\u0027div\u0027);\n    div.textContent = str;\n    return div.innerHTML;\n};\n\ndocument.addEventListener(\u0027autocomplete:pre-connect\u0027, (event) =\u003e {\n    const options = event.detail.options;\n    if (!options.render) return;\n\n    const labelField = options.labelField || \u0027text\u0027;\n    const wrapRenderer = (renderer) =\u003e {\n        if (!renderer) return renderer;\n        return (data, escape) =\u003e {\n            const escaped = { ...data };\n            if (escaped[labelField]) {\n                escaped[labelField] = escapeHtml(escaped[labelField]);\n            }\n            return renderer(escaped, escape);\n        };\n    };\n\n    if (options.render.item) options.render.item = wrapRenderer(options.render.item);\n    if (options.render.option) options.render.option = wrapRenderer(options.render.option);\n});\n```\n\nImport in `assets/admin/entrypoint.js` **before** bootstrap:\n\n```diff\n+ import \u0027./scripts/autocomplete-xss-protection\u0027;\n  import \u0027./bootstrap.js\u0027;\n```\n\n#### Step 5 \u2014 Rebuild assets\n\n```bash\nyarn encore dev  # or: yarn encore production\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- Djibril Mounkoro (@whiteov3rflow)\n- Bart\u0142omiej Nowi\u0144ski (@bnBart)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-mx4q-xxc9-pf5q",
  "modified": "2026-03-11T20:33:00Z",
  "published": "2026-03-11T00:13:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31823"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sylius Vulnerable to Authenticated Stored XSS"
}

FKIE_CVE-2026-31823

Vulnerability from fkie_nvd - Published: 2026-03-10 22:16 - Updated: 2026-03-11 19:31

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q	Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
sylius	sylius	*
sylius	sylius	*
sylius	sylius	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA9449ED-A73A-4D16-A464-DBCBE24CA6A6",
              "versionEndExcluding": "2.0.16",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F45888BF-720D-4B78-BA7D-ED7E5E091A8C",
              "versionEndExcluding": "2.1.12",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A2540B0-56B9-4B15-9876-BE908A80BB0A",
              "versionEndExcluding": "2.2.3",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above."
    },
    {
      "lang": "es",
      "value": "Sylius es un marco de comercio electr\u00f3nico de c\u00f3digo abierto basado en Symfony. Existe una vulnerabilidad de tipo cross-site scripting (XSS) almacenada y autenticada en varios lugares del frontend de la tienda y del panel de administraci\u00f3n debido a que los nombres de las entidades no desinfectados se representan como HTML sin procesar. Migas de pan de la tienda (shared/breadcrumbs.html.twig): la macro de migas de pan utiliza el filtro Twig |raw en los valores de las etiquetas. Dado que los nombres de taxones, los nombres de productos y los nombres de antecesores fluyen directamente a estas etiquetas, un nombre de tax\u00f3n malicioso como  se representa y se ejecuta como JavaScript en la tienda. Selector de taxones de productos del administrador (ProductTaxonTreeController.js): El m\u00e9todo rowRenderer interpola ${name} directamente en una plantilla literal que crea HTML, lo que permite la inyecci\u00f3n de scripts a trav\u00e9s de los nombres de taxones en el panel de administraci\u00f3n. Campos de autocompletado del administrador (Tom Select): Los elementos y opciones desplegables representan los nombres de las entidades como HTML sin procesar sin escapar, lo que permite XSS a trav\u00e9s de cualquier campo de autocompletado que muestre nombres de entidades. Un administrador autenticado puede inyectar HTML o JavaScript arbitrario a trav\u00e9s de nombres de entidades (por ejemplo, nombre de tax\u00f3n) que se representan de forma persistente para todos los usuarios. El problema se ha solucionado en las versiones: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 y superiores."
    }
  ],
  "id": "CVE-2026-31823",
  "lastModified": "2026-03-11T19:31:00.943",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T22:16:19.973",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-31823 (GCVE-0-2026-31823)

GHSA-MX4Q-XXC9-PF5Q

Impact

Patches

Workarounds

Step 1 — Override shop breadcrumbs template

Step 2 — Override order breadcrumbs template

Step 3 — Override ProductTaxonTreeController.js

Step 4 — Add autocomplete XSS protection

Step 5 — Rebuild assets

Reporters

For more information

FKIE_CVE-2026-31823

Tags

Sightings

Nomenclature