GHSA-9FFX-F77R-756W
Vulnerability from github – Published: 2026-03-11 00:12 – Updated: 2026-03-11 20:32
VLAI?
Summary
Sylius has an Open Redirect via Referer Header
Details
Impact
CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting.
The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain.
The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat.
Affected classes:
- CurrencySwitchController::switchAction() - public
- StorageBasedLocaleSwitcher::handle() - public, used in locale switching without having locale in the url
- ImpersonateUserController::impersonateAction() - admin-only
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Workarounds
If you cannot update Sylius immediately, copy the affected classes from vendor to your project's src/ directory, apply the fix, and override the service definitions.
Step 1 - CurrencySwitchController
Copy from vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Controller/CurrencySwitchController.php to src/Controller/CurrencySwitchController.php and apply the following changes:
-namespace Sylius\Bundle\ShopBundle\Controller;
+namespace App\Controller;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Core\Currency\CurrencyStorageInterface;
use Sylius\Component\Core\Model\ChannelInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\RouterInterface;
final class CurrencySwitchController
{
public function __construct(
private Environment $templatingEngine, // for 1.x version
private CurrencyStorageInterface $currencyStorage,
private ChannelContextInterface $channelContext,
+ private RouterInterface $router,
) {
}
public function switchAction(Request $request, string $code): Response
{
/** @var ChannelInterface $channel */
$channel = $this->channelContext->getChannel();
$this->currencyStorage->set($channel, $code);
- return new RedirectResponse($request->headers->get('referer', $request->getSchemeAndHttpHost()));
+ return new RedirectResponse($this->router->generate('sylius_shop_homepage'));
}
}
Step 2 - ImpersonateUserController
Copy from vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Controller/ImpersonateUserController.php to src/Controller/Admin/ImpersonateUserController.php and apply the following changes:
-namespace Sylius\Bundle\AdminBundle\Controller;
+namespace App\Controller\Admin;
// ... (keep all existing use statements)
public function impersonateAction(Request $request, string $username): Response
{
// ... (keep authorization check and impersonation logic)
$this->addFlash($request, $username);
- $redirectUrl = $request->headers->get(
- 'referer',
+ return new RedirectResponse(
$this->router->generate('sylius_admin_customer_show', ['id' => $user->getId()])
);
-
- return new RedirectResponse($redirectUrl);
}
Step 3 - StorageBasedLocaleSwitcher (only if you use locale_switcher: storage)
Note: Skip this step if you use the default
locale_switcher: urlmode.
Copy from vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Locale/StorageBasedLocaleSwitcher.php to src/Locale/StorageBasedLocaleSwitcher.php and apply the following changes:
For Sylius 1.9 – 2.1.2:
-namespace Sylius\Bundle\ShopBundle\Locale;
+namespace App\Locale;
use Sylius\Bundle\ShopBundle\Locale\LocaleSwitcherInterface;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Core\Locale\LocaleStorageInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Routing\RouterInterface;
final class StorageBasedLocaleSwitcher implements LocaleSwitcherInterface
{
public function __construct(
private LocaleStorageInterface $localeStorage,
private ChannelContextInterface $channelContext,
+ private RouterInterface $router,
) {
}
public function handle(Request $request, string $localeCode): RedirectResponse
{
$this->localeStorage->set($this->channelContext->getChannel(), $localeCode);
- return new RedirectResponse($request->headers->get('referer', $request->getSchemeAndHttpHost()));
+ return new RedirectResponse($this->router->generate('sylius_shop_homepage'));
}
}
For Sylius 2.1.3 and later:
In Sylius 2.1.3 the class was refactored to use
UrlMatcherInterface. While this adds partial validation, it still passes the full referer URL toRedirectResponse, so the open redirect remains exploitable.
-namespace Sylius\Bundle\ShopBundle\Locale;
+namespace App\Locale;
use Sylius\Bundle\ShopBundle\Locale\LocaleSwitcherInterface;
use Sylius\Component\Channel\Context\ChannelContextInterface;
use Sylius\Component\Core\Locale\LocaleStorageInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\Routing\Exception\ResourceNotFoundException;
-use Symfony\Component\Routing\Matcher\UrlMatcherInterface;
+use Symfony\Component\Routing\RouterInterface;
final class StorageBasedLocaleSwitcher implements LocaleSwitcherInterface
{
public function __construct(
private LocaleStorageInterface $localeStorage,
private ChannelContextInterface $channelContext,
- private ?UrlMatcherInterface $urlMatcher = null,
+ private RouterInterface $router,
) {
- if (null === $this->urlMatcher) {
- trigger_deprecation(
- 'sylius/shop-bundle',
- '2.1',
- 'Not passing a "%s" to "%s" is deprecated and will be required in Sylius 3.0.',
- UrlMatcherInterface::class,
- self::class,
- );
- }
}
public function handle(Request $request, string $localeCode): RedirectResponse
{
$this->localeStorage->set($this->channelContext->getChannel(), $localeCode);
- $url = $request->headers->get('referer', $request->getSchemeAndHttpHost());
-
- if ($this->urlMatcher) {
- try {
- $this->urlMatcher->match($url);
- } catch (ResourceNotFoundException) {
- return new RedirectResponse($request->getSchemeAndHttpHost());
- }
- }
-
- return new RedirectResponse($url);
+ return new RedirectResponse($this->router->generate('sylius_shop_homepage'));
}
}
Step 4 - Override the services
Add to config/services.yaml.
Sylius 1.x (1.9 – 1.14):
services:
# ... your existing services ...
sylius.controller.shop.currency_switch:
class: App\Controller\CurrencySwitchController
public: true
arguments:
$templatingEngine: '@twig'
$currencyStorage: '@sylius.storage.currency'
$channelContext: '@sylius.context.channel'
$router: '@router'
sylius.controller.shop.impersonate_user:
class: App\Controller\Admin\ImpersonateUserController
public: true
arguments:
$impersonator: '@sylius.admin.security.user_impersonator'
$authorizationChecker: '@security.authorization_checker'
$userProvider: '@sylius.admin_user_provider.email_or_name_based'
$router: '@router'
$authorizationRole: 'ROLE_ADMINISTRATION_ACCESS'
# Only if you use locale_switcher: storage
sylius.shop.locale_switcher:
class: App\Locale\StorageBasedLocaleSwitcher
public: false
arguments:
$localeStorage: '@sylius.storage.locale'
$channelContext: '@sylius.context.channel'
$router: '@router'
Sylius 2.x (2.0 – 2.1):
services:
# ... your existing services ...
sylius_shop.controller.currency_switch:
class: App\Controller\CurrencySwitchController
public: true
arguments:
$currencyStorage: '@sylius.storage.currency'
$channelContext: '@sylius.context.channel'
$router: '@router'
sylius_admin.controller.impersonate_user:
class: App\Controller\Admin\ImpersonateUserController
public: true
arguments:
$impersonator: '@sylius_admin.security.shop_user_impersonator'
$authorizationChecker: '@security.authorization_checker'
$userProvider: '@sylius.shop_user_provider.email_or_name_based'
$router: '@router'
$authorizationRole: 'ROLE_ADMINISTRATION_ACCESS'
# Only if you use locale_switcher: storage
sylius_shop.locale_switcher:
class: App\Locale\StorageBasedLocaleSwitcher
public: false
arguments:
$localeStorage: '@sylius.storage.locale'
$channelContext: '@sylius.context.channel'
$router: '@router'
Step 5 - Clear cache
bin/console cache:clear
Customizing the redirect target
If you need a different redirect target, override the route definition with the _sylius.redirect attribute:
# config/routes/sylius_shop.yaml (AFTER the sylius_shop resource import)
sylius_shop_switch_currency:
path: /{_locale}/switch-currency/{code}
methods: [GET]
defaults:
_controller: sylius.controller.shop.currency_switch:switchAction
_sylius:
redirect: sylius_shop_product_index # or any route name
Reporters
We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Bartłomiej Nowiński (@bnBart)
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.9.11"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.15"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.16"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.22"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.13.14"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.14.17"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.15"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.11"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.2"
},
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31819"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T00:12:29Z",
"nvd_published_at": "2026-03-10T22:16:19Z",
"severity": "MODERATE"
},
"details": "### Impact\n`CurrencySwitchController::switchAction()`, `ImpersonateUserController::impersonateAction()` and `StorageBasedLocaleSwitcher::handle()` use the HTTP Referer header directly when redirecting.\n\nThe attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker\u0027s site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain.\n\nThe severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat.\n\nAffected classes:\n- `CurrencySwitchController::switchAction()` - public\n- `StorageBasedLocaleSwitcher::handle()` - public, used in locale switching without having locale in the `url`\n- `ImpersonateUserController::impersonateAction()` - admin-only\n\n### Patches\nThe issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.\n\n### Workarounds\nIf you cannot update Sylius immediately, copy the affected classes from vendor to your project\u0027s `src/` directory, apply the fix, and override the service definitions.\n\n#### Step 1 - CurrencySwitchController\n\nCopy from `vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Controller/CurrencySwitchController.php` to `src/Controller/CurrencySwitchController.php` and apply the following changes:\n\n```diff\n-namespace Sylius\\Bundle\\ShopBundle\\Controller;\n+namespace App\\Controller;\n\n use Sylius\\Component\\Channel\\Context\\ChannelContextInterface;\n use Sylius\\Component\\Core\\Currency\\CurrencyStorageInterface;\n use Sylius\\Component\\Core\\Model\\ChannelInterface;\n use Symfony\\Component\\HttpFoundation\\RedirectResponse;\n use Symfony\\Component\\HttpFoundation\\Request;\n use Symfony\\Component\\HttpFoundation\\Response;\n+use Symfony\\Component\\Routing\\RouterInterface;\n\n final class CurrencySwitchController\n {\n public function __construct(\n private Environment $templatingEngine, // for 1.x version\n private CurrencyStorageInterface $currencyStorage,\n private ChannelContextInterface $channelContext,\n+ private RouterInterface $router,\n ) {\n }\n\n public function switchAction(Request $request, string $code): Response\n {\n /** @var ChannelInterface $channel */\n $channel = $this-\u003echannelContext-\u003egetChannel();\n\n $this-\u003ecurrencyStorage-\u003eset($channel, $code);\n\n- return new RedirectResponse($request-\u003eheaders-\u003eget(\u0027referer\u0027, $request-\u003egetSchemeAndHttpHost()));\n+ return new RedirectResponse($this-\u003erouter-\u003egenerate(\u0027sylius_shop_homepage\u0027));\n }\n }\n```\n\n#### Step 2 - ImpersonateUserController\n\nCopy from `vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Controller/ImpersonateUserController.php` to `src/Controller/Admin/ImpersonateUserController.php` and apply the following changes:\n\n```diff\n-namespace Sylius\\Bundle\\AdminBundle\\Controller;\n+namespace App\\Controller\\Admin;\n\n // ... (keep all existing use statements)\n\n public function impersonateAction(Request $request, string $username): Response\n {\n // ... (keep authorization check and impersonation logic)\n\n $this-\u003eaddFlash($request, $username);\n\n- $redirectUrl = $request-\u003eheaders-\u003eget(\n- \u0027referer\u0027,\n+ return new RedirectResponse(\n $this-\u003erouter-\u003egenerate(\u0027sylius_admin_customer_show\u0027, [\u0027id\u0027 =\u003e $user-\u003egetId()])\n );\n-\n- return new RedirectResponse($redirectUrl);\n }\n```\n\n#### Step 3 - StorageBasedLocaleSwitcher (only if you use `locale_switcher: storage`)\n\n\u003e **Note:** Skip this step if you use the default `locale_switcher: url` mode.\n\nCopy from `vendor/sylius/sylius/src/Sylius/Bundle/ShopBundle/Locale/StorageBasedLocaleSwitcher.php` to `src/Locale/StorageBasedLocaleSwitcher.php` and apply the following changes:\n\n**For Sylius 1.9 \u2013 2.1.2:**\n\n```diff\n-namespace Sylius\\Bundle\\ShopBundle\\Locale;\n+namespace App\\Locale;\n\n use Sylius\\Bundle\\ShopBundle\\Locale\\LocaleSwitcherInterface;\n use Sylius\\Component\\Channel\\Context\\ChannelContextInterface;\n use Sylius\\Component\\Core\\Locale\\LocaleStorageInterface;\n use Symfony\\Component\\HttpFoundation\\RedirectResponse;\n use Symfony\\Component\\HttpFoundation\\Request;\n+use Symfony\\Component\\Routing\\RouterInterface;\n\n final class StorageBasedLocaleSwitcher implements LocaleSwitcherInterface\n {\n public function __construct(\n private LocaleStorageInterface $localeStorage,\n private ChannelContextInterface $channelContext,\n+ private RouterInterface $router,\n ) {\n }\n\n public function handle(Request $request, string $localeCode): RedirectResponse\n {\n $this-\u003elocaleStorage-\u003eset($this-\u003echannelContext-\u003egetChannel(), $localeCode);\n\n- return new RedirectResponse($request-\u003eheaders-\u003eget(\u0027referer\u0027, $request-\u003egetSchemeAndHttpHost()));\n+ return new RedirectResponse($this-\u003erouter-\u003egenerate(\u0027sylius_shop_homepage\u0027));\n }\n }\n```\n\n**For Sylius 2.1.3 and later:**\n\n\u003e In Sylius 2.1.3 the class was refactored to use `UrlMatcherInterface`. While this adds partial validation, it still passes the full referer URL to `RedirectResponse`, so the open redirect remains exploitable.\n\n```diff\n-namespace Sylius\\Bundle\\ShopBundle\\Locale;\n+namespace App\\Locale;\n\n use Sylius\\Bundle\\ShopBundle\\Locale\\LocaleSwitcherInterface;\n use Sylius\\Component\\Channel\\Context\\ChannelContextInterface;\n use Sylius\\Component\\Core\\Locale\\LocaleStorageInterface;\n use Symfony\\Component\\HttpFoundation\\RedirectResponse;\n use Symfony\\Component\\HttpFoundation\\Request;\n-use Symfony\\Component\\Routing\\Exception\\ResourceNotFoundException;\n-use Symfony\\Component\\Routing\\Matcher\\UrlMatcherInterface;\n+use Symfony\\Component\\Routing\\RouterInterface;\n\n final class StorageBasedLocaleSwitcher implements LocaleSwitcherInterface\n {\n public function __construct(\n private LocaleStorageInterface $localeStorage,\n private ChannelContextInterface $channelContext,\n- private ?UrlMatcherInterface $urlMatcher = null,\n+ private RouterInterface $router,\n ) {\n- if (null === $this-\u003eurlMatcher) {\n- trigger_deprecation(\n- \u0027sylius/shop-bundle\u0027,\n- \u00272.1\u0027,\n- \u0027Not passing a \"%s\" to \"%s\" is deprecated and will be required in Sylius 3.0.\u0027,\n- UrlMatcherInterface::class,\n- self::class,\n- );\n- }\n }\n\n public function handle(Request $request, string $localeCode): RedirectResponse\n {\n $this-\u003elocaleStorage-\u003eset($this-\u003echannelContext-\u003egetChannel(), $localeCode);\n- $url = $request-\u003eheaders-\u003eget(\u0027referer\u0027, $request-\u003egetSchemeAndHttpHost());\n-\n- if ($this-\u003eurlMatcher) {\n- try {\n- $this-\u003eurlMatcher-\u003ematch($url);\n- } catch (ResourceNotFoundException) {\n- return new RedirectResponse($request-\u003egetSchemeAndHttpHost());\n- }\n- }\n-\n- return new RedirectResponse($url);\n+ return new RedirectResponse($this-\u003erouter-\u003egenerate(\u0027sylius_shop_homepage\u0027));\n }\n }\n```\n\n#### Step 4 - Override the services\n\nAdd to `config/services.yaml`.\n\n**Sylius 1.x (1.9 \u2013 1.14):**\n\n```yaml\nservices:\n # ... your existing services ...\n\n sylius.controller.shop.currency_switch:\n class: App\\Controller\\CurrencySwitchController\n public: true\n arguments:\n $templatingEngine: \u0027@twig\u0027\n $currencyStorage: \u0027@sylius.storage.currency\u0027\n $channelContext: \u0027@sylius.context.channel\u0027\n $router: \u0027@router\u0027\n\n sylius.controller.shop.impersonate_user:\n class: App\\Controller\\Admin\\ImpersonateUserController\n public: true\n arguments:\n $impersonator: \u0027@sylius.admin.security.user_impersonator\u0027\n $authorizationChecker: \u0027@security.authorization_checker\u0027\n $userProvider: \u0027@sylius.admin_user_provider.email_or_name_based\u0027\n $router: \u0027@router\u0027\n $authorizationRole: \u0027ROLE_ADMINISTRATION_ACCESS\u0027\n\n # Only if you use locale_switcher: storage\n sylius.shop.locale_switcher:\n class: App\\Locale\\StorageBasedLocaleSwitcher\n public: false\n arguments:\n $localeStorage: \u0027@sylius.storage.locale\u0027\n $channelContext: \u0027@sylius.context.channel\u0027\n $router: \u0027@router\u0027\n```\n\n**Sylius 2.x (2.0 \u2013 2.1):**\n\n```yaml\nservices:\n # ... your existing services ...\n\n sylius_shop.controller.currency_switch:\n class: App\\Controller\\CurrencySwitchController\n public: true\n arguments:\n $currencyStorage: \u0027@sylius.storage.currency\u0027\n $channelContext: \u0027@sylius.context.channel\u0027\n $router: \u0027@router\u0027\n\n sylius_admin.controller.impersonate_user:\n class: App\\Controller\\Admin\\ImpersonateUserController\n public: true\n arguments:\n $impersonator: \u0027@sylius_admin.security.shop_user_impersonator\u0027\n $authorizationChecker: \u0027@security.authorization_checker\u0027\n $userProvider: \u0027@sylius.shop_user_provider.email_or_name_based\u0027\n $router: \u0027@router\u0027\n $authorizationRole: \u0027ROLE_ADMINISTRATION_ACCESS\u0027\n\n # Only if you use locale_switcher: storage\n sylius_shop.locale_switcher:\n class: App\\Locale\\StorageBasedLocaleSwitcher\n public: false\n arguments:\n $localeStorage: \u0027@sylius.storage.locale\u0027\n $channelContext: \u0027@sylius.context.channel\u0027\n $router: \u0027@router\u0027\n```\n\n#### Step 5 - Clear cache\n\n```bash\nbin/console cache:clear\n```\n\n---\n\n#### Customizing the redirect target\n\nIf you need a different redirect target, override the route definition with the `_sylius.redirect` attribute:\n\n```yaml\n# config/routes/sylius_shop.yaml (AFTER the sylius_shop resource import)\nsylius_shop_switch_currency:\n path: /{_locale}/switch-currency/{code}\n methods: [GET]\n defaults:\n _controller: sylius.controller.shop.currency_switch:switchAction\n _sylius:\n redirect: sylius_shop_product_index # or any route name\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- Bart\u0142omiej Nowi\u0144ski (@bnBart)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
"id": "GHSA-9ffx-f77r-756w",
"modified": "2026-03-11T20:32:25Z",
"published": "2026-03-11T00:12:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-9ffx-f77r-756w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31819"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Sylius has an Open Redirect via Referer Header"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…