Open Redirect in Sylius

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirectin…

Vulnerability class: Open Redirect

EPSS: 0.001 (17.5th percentile) — read the EPSS interpretation.

Affected products

Sylius — versions >= 2.2.0, < 2.2.3, >= 2.1.0, < 2.1.12, >= 2.0.0, < 2.0.16

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/Sylius/Sylius/security/advisories/GHSA-9ffx-f77r-756w (x_refsource_CONFIRM)