cvedb.io
CVE-2026-31822
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2026-03-10T22:16:19.810 · Last modified 2026-06-17T10:34:31.397

Summary

Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

Affected products

sylius — sylius

Does this affect you?

Add your gear to cvedb and we'll alert you only when sylius ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.