CVE-2026-31819
Open Redirect Vulnerabilities in Sylius Controllers Enable Phishing
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sylius | sylius | to 1.9.12 (exc) |
| sylius | sylius | From 1.10.0 (inc) to 1.10.16 (exc) |
| sylius | sylius | From 1.11.0 (inc) to 1.11.17 (exc) |
| sylius | sylius | From 1.12.0 (inc) to 1.12.23 (exc) |
| sylius | sylius | From 1.13.0 (inc) to 1.13.15 (exc) |
| sylius | sylius | From 1.14.0 (inc) to 1.14.18 (exc) |
| sylius | sylius | From 2.0.0 (inc) to 2.0.16 (exc) |
| sylius | sylius | From 2.1.0 (inc) to 2.1.12 (exc) |
| sylius | sylius | From 2.2.0 (inc) to 2.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Sylius Open Source eCommerce Framework on Symfony. Certain controllers (CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle()) use the HTTP Referer header directly when redirecting users.
An attacker can exploit this by placing a legitimate application link on a page they control. When a victim clicks this link, their browser sends the attacker's site as the Referer header, causing the application to redirect back to the attacker-controlled site.
Because the redirect appears to come from a trusted domain, this can be used for phishing or credential theft. The severity depends on the endpoint: public endpoints require no authentication and are easily exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin clicks a malicious link from an external source.
The issue has been fixed in versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
How can this vulnerability impact me? :
This vulnerability can lead to phishing attacks or credential theft because the application redirects users to attacker-controlled sites while appearing to come from a trusted domain.
If exploited on public endpoints, attackers can easily redirect users without any authentication, increasing the risk for all users.
If exploited on admin-only endpoints, attackers can still cause harm if an authenticated admin clicks a malicious link, potentially compromising administrative access or sensitive data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Sylius to one of the fixed versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 or above.
Additionally, educate users, especially administrators, to avoid clicking on links from untrusted external sources such as emails or chats to reduce the risk of exploitation.