GHSA-MX4Q-XXC9-PF5Q

Vulnerability from github – Published: 2026-03-11 00:13 – Updated: 2026-03-11 20:33
VLAI?
Summary
Sylius Vulnerable to Authenticated Stored XSS
Details

Impact

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML.

Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront.

Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel.

Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names.

An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users.

Patches

The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Workarounds

Override vulnerable templates and JavaScript controllers at the project level.

Step 1 — Override shop breadcrumbs template

templates/bundles/SyliusShopBundle/shared/breadcrumbs.html.twig:

{% macro breadcrumbs(items) %}
    <ol class="breadcrumb" aria-label="breadcrumbs">
        {% for item in items %}
            <li class="breadcrumb-item fw-normal{{ item.active is defined and item.active ? ' active' }}">
                {% if item.path is defined %}
                    <a class="link-reset" href="{{ item.path }}" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}>{{ item.label }}</a>
                {% else %}
                    <span class="text-body-tertiary text-break" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}>{{ item.label }}</span>
                {% endif %}
            </li>
        {% endfor %}
    </ol>
{% endmacro %}

Step 2 — Override order breadcrumbs template

templates/bundles/SyliusShopBundle/account/order/show/content/breadcrumbs.html.twig:

{% from '@SyliusShop/shared/breadcrumbs.html.twig' import breadcrumbs as breadcrumbs %}

{% set order = hookable_metadata.context.order %}

<div class="col-12">
    {{ breadcrumbs([
        { label: 'sylius.ui.home'|trans, path: path('sylius_shop_homepage')},
        { label: 'sylius.ui.my_account'|trans, path: path('sylius_shop_account_dashboard')},
        { label: 'sylius.ui.order_history'|trans, path: path('sylius_shop_account_order_index')},
        { label: '#'~order.number, active: true, test_attribute: 'order-number' }
    ]) }}
</div>

Step 3 — Override ProductTaxonTreeController.js

Disable the vendor controller in assets/admin/controllers.json:

  "product-taxon-tree": {
-   "enabled": true,
+   "enabled": false,
    "fetch": "lazy"
  },

Create assets/admin/controllers/product_taxon_tree_controller.js — copy the original from vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Resources/assets/controllers/ProductTaxonTreeController.js and apply the following change:

+ const escapeHtml = (str) => {
+     const div = document.createElement('div');
+     div.textContent = str;
+     return div.innerHTML;
+ };

  // in rowRenderer:
- <span class="infinite-tree-title">${name}</span>
+ <span class="infinite-tree-title">${escapeHtml(name)}</span>

Register the patched controller in assets/admin/bootstrap.js:

import ProductTaxonTreeController from './controllers/product_taxon_tree_controller';
app.register('sylius--admin-bundle--product-taxon-tree', ProductTaxonTreeController);

Step 4 — Add autocomplete XSS protection

assets/admin/scripts/autocomplete-xss-protection.js:

const escapeHtml = (str) => {
    if (typeof str !== 'string') return str;
    const div = document.createElement('div');
    div.textContent = str;
    return div.innerHTML;
};

document.addEventListener('autocomplete:pre-connect', (event) => {
    const options = event.detail.options;
    if (!options.render) return;

    const labelField = options.labelField || 'text';
    const wrapRenderer = (renderer) => {
        if (!renderer) return renderer;
        return (data, escape) => {
            const escaped = { ...data };
            if (escaped[labelField]) {
                escaped[labelField] = escapeHtml(escaped[labelField]);
            }
            return renderer(escaped, escape);
        };
    };

    if (options.render.item) options.render.item = wrapRenderer(options.render.item);
    if (options.render.option) options.render.option = wrapRenderer(options.render.option);
});

Import in assets/admin/entrypoint.js before bootstrap:

+ import './scripts/autocomplete-xss-protection';
  import './bootstrap.js';

Step 5 — Rebuild assets

yarn encore dev  # or: yarn encore production

Reporters

We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Djibril Mounkoro (@whiteov3rflow) - Bartłomiej Nowiński (@bnBart)

For more information

If you have any questions or comments about this advisory:

Severity ?
4.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:13:20Z",
    "nvd_published_at": "2026-03-10T22:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML.\n\n**Shop breadcrumbs** (`shared/breadcrumbs.html.twig`): The `breadcrumbs` macro uses the Twig `|raw` filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like `\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e` is rendered and executed as JavaScript on the storefront.\n\n**Admin product taxon picker** (`ProductTaxonTreeController.js`): The `rowRenderer` method interpolates `${name}` directly into a template literal building HTML, allowing script injection through taxon names in the admin panel.\n\n**Admin autocomplete fields** (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names.\n\nAn **authenticated administrator** can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users.\n\n### Patches\n\nThe issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.\n\n### Workarounds\n\nOverride vulnerable templates and JavaScript controllers at the project level.\n\n---\n\n#### Step 1 \u2014 Override shop breadcrumbs template\n\n`templates/bundles/SyliusShopBundle/shared/breadcrumbs.html.twig`:\n\n```twig\n{% macro breadcrumbs(items) %}\n    \u003col class=\"breadcrumb\" aria-label=\"breadcrumbs\"\u003e\n        {% for item in items %}\n            \u003cli class=\"breadcrumb-item fw-normal{{ item.active is defined and item.active ? \u0027 active\u0027 }}\"\u003e\n                {% if item.path is defined %}\n                    \u003ca class=\"link-reset\" href=\"{{ item.path }}\" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}\u003e{{ item.label }}\u003c/a\u003e\n                {% else %}\n                    \u003cspan class=\"text-body-tertiary text-break\" {{ item.test_attribute is defined ? sylius_test_html_attribute(item.test_attribute) }}\u003e{{ item.label }}\u003c/span\u003e\n                {% endif %}\n            \u003c/li\u003e\n        {% endfor %}\n    \u003c/ol\u003e\n{% endmacro %}\n```\n\n#### Step 2 \u2014 Override order breadcrumbs template\n\n`templates/bundles/SyliusShopBundle/account/order/show/content/breadcrumbs.html.twig`:\n\n```twig\n{% from \u0027@SyliusShop/shared/breadcrumbs.html.twig\u0027 import breadcrumbs as breadcrumbs %}\n\n{% set order = hookable_metadata.context.order %}\n\n\u003cdiv class=\"col-12\"\u003e\n    {{ breadcrumbs([\n        { label: \u0027sylius.ui.home\u0027|trans, path: path(\u0027sylius_shop_homepage\u0027)},\n        { label: \u0027sylius.ui.my_account\u0027|trans, path: path(\u0027sylius_shop_account_dashboard\u0027)},\n        { label: \u0027sylius.ui.order_history\u0027|trans, path: path(\u0027sylius_shop_account_order_index\u0027)},\n        { label: \u0027#\u0027~order.number, active: true, test_attribute: \u0027order-number\u0027 }\n    ]) }}\n\u003c/div\u003e\n```\n\n#### Step 3 \u2014 Override ProductTaxonTreeController.js\n\nDisable the vendor controller in `assets/admin/controllers.json`:\n\n```diff\n  \"product-taxon-tree\": {\n-   \"enabled\": true,\n+   \"enabled\": false,\n    \"fetch\": \"lazy\"\n  },\n```\n\nCreate `assets/admin/controllers/product_taxon_tree_controller.js` \u2014 copy the original from `vendor/sylius/sylius/src/Sylius/Bundle/AdminBundle/Resources/assets/controllers/ProductTaxonTreeController.js` and apply the following change:\n\n```diff\n+ const escapeHtml = (str) =\u003e {\n+     const div = document.createElement(\u0027div\u0027);\n+     div.textContent = str;\n+     return div.innerHTML;\n+ };\n\n  // in rowRenderer:\n- \u003cspan class=\"infinite-tree-title\"\u003e${name}\u003c/span\u003e\n+ \u003cspan class=\"infinite-tree-title\"\u003e${escapeHtml(name)}\u003c/span\u003e\n```\n\nRegister the patched controller in `assets/admin/bootstrap.js`:\n\n```js\nimport ProductTaxonTreeController from \u0027./controllers/product_taxon_tree_controller\u0027;\napp.register(\u0027sylius--admin-bundle--product-taxon-tree\u0027, ProductTaxonTreeController);\n```\n\n#### Step 4 \u2014 Add autocomplete XSS protection\n\n`assets/admin/scripts/autocomplete-xss-protection.js`:\n\n```js\nconst escapeHtml = (str) =\u003e {\n    if (typeof str !== \u0027string\u0027) return str;\n    const div = document.createElement(\u0027div\u0027);\n    div.textContent = str;\n    return div.innerHTML;\n};\n\ndocument.addEventListener(\u0027autocomplete:pre-connect\u0027, (event) =\u003e {\n    const options = event.detail.options;\n    if (!options.render) return;\n\n    const labelField = options.labelField || \u0027text\u0027;\n    const wrapRenderer = (renderer) =\u003e {\n        if (!renderer) return renderer;\n        return (data, escape) =\u003e {\n            const escaped = { ...data };\n            if (escaped[labelField]) {\n                escaped[labelField] = escapeHtml(escaped[labelField]);\n            }\n            return renderer(escaped, escape);\n        };\n    };\n\n    if (options.render.item) options.render.item = wrapRenderer(options.render.item);\n    if (options.render.option) options.render.option = wrapRenderer(options.render.option);\n});\n```\n\nImport in `assets/admin/entrypoint.js` **before** bootstrap:\n\n```diff\n+ import \u0027./scripts/autocomplete-xss-protection\u0027;\n  import \u0027./bootstrap.js\u0027;\n```\n\n#### Step 5 \u2014 Rebuild assets\n\n```bash\nyarn encore dev  # or: yarn encore production\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- Djibril Mounkoro (@whiteov3rflow)\n- Bart\u0142omiej Nowi\u0144ski (@bnBart)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-mx4q-xxc9-pf5q",
  "modified": "2026-03-11T20:33:00Z",
  "published": "2026-03-11T00:13:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31823"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/Sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sylius Vulnerable to Authenticated Stored XSS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.