Sylius Sylius
17 CVEs affecting Sylius Sylius. Latest disclosed: 2026-03-10. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-31824 | High | 8.2 | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enf… |
CVE-2022-24743 | High | 7.1 | 2022-03-14 | Sylius is an open source eCommerce platform. Prior to versions 1.10.11 and 1.11.2, the reset password token was not set to null after the password was changed… |
CVE-2022-24749 | Medium | 6.1 | 2022-03-14 | Sylius is an open source eCommerce platform. In versions prior to 1.9.10, 1.10.11, and 1.11.2, it is possible to upload an SVG file containing cross-site scrip… |
CVE-2022-24733 | Medium | 6.1 | 2022-03-14 | Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the web… |
CVE-2026-31825 | Medium | 5.3 | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied… |
CVE-2024-40633 | Medium | 5.3 | 2024-07-17 | Sylius is an Open Source eCommerce Framework on Symfony. A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retriev… |
CVE-2021-32720 | Medium | 5.3 | 2021-06-28 | Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order numbe… |
CVE-2022-24742 | Medium | 5.0 | 2022-03-14 | Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, any other user can view the data if browser tab remains unclosed af… |
CVE-2026-31823 | Medium | 4.8 | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the… |
CVE-2024-34349 | Medium | 4.8 | 2024-05-10 | Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to per… |
CVE-2020-5218 | Medium | 4.4 | 2020-01-27 | Affected versions of Sylius give attackers the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be… |
CVE-2020-15245 | Medium | 4.3 | 2020-10-19 | In Sylius before versions 1.6.9, 1.7.9 and 1.8.3, the user may register in a shop by email mail@example.com, verify it, change it to the mail another@domain.co… |
CVE-2019-16768 | Low | 3.5 | 2019-12-05 | In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception… |
CVE-2026-31822 | | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLo… | |
CVE-2026-31821 | | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenti… | |
CVE-2026-31820 | | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveCom… | |
CVE-2026-31819 | | 2026-03-10 | Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBa… |