CVE-2026-31823
Stored XSS in Sylius Frontend and Admin via Unsanitized Names
Publication date: 2026-03-10
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sylius | sylius | From 2.0.0 (inc) to 2.0.16 (exc) |
| sylius | sylius | From 2.1.0 (inc) to 2.1.12 (exc) |
| sylius | sylius | From 2.2.0 (inc) to 2.2.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated stored cross-site scripting (XSS) issue in the Sylius eCommerce framework. It occurs because entity names such as taxon names, product names, and ancestor names are rendered as raw HTML without proper sanitization in multiple places across the shop frontend and admin panel.
Specifically, the breadcrumbs macro uses the Twig |raw filter on label values, allowing malicious HTML or JavaScript to be executed on the storefront. In the admin panel, the product taxon picker interpolates entity names directly into HTML templates, enabling script injection. Additionally, autocomplete fields render entity names as raw HTML without escaping, which also allows XSS attacks.
An authenticated administrator can inject arbitrary HTML or JavaScript via entity names that are persistently rendered for all users, leading to potential exploitation.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated administrator to inject malicious HTML or JavaScript code that will be executed in the browsers of other users visiting the storefront or admin panel.
The impact includes the potential for attackers to perform actions such as stealing session cookies, defacing the website, redirecting users to malicious sites, or executing other malicious scripts within the context of the affected application.
Because the XSS is stored and persistent, the malicious code remains active and affects all users who view the infected pages or fields.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Sylius to one of the fixed versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 or above.
Since the vulnerability arises from unsanitized entity names being rendered as raw HTML, avoid using or displaying untrusted input directly with the Twig |raw filter or in JavaScript template literals without proper escaping.
Ensure that administrators do not input malicious entity names such as taxon names, product names, or ancestor names that could contain scripts.