sylius/sylius Security Advisories for v1.9.3 (11)
-
[MEDIUM] Sylius has a DQL Injection via API Order Filters
PKSA-6fr5-nks6-h5j2 CVE-2026-31825 GHSA-xcwx-r2gw-w93m
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[HIGH] Sylius has a Promotion Usage Limit Bypass via Race Condition
PKSA-xqwf-3qbb-njd6 CVE-2026-31824 GHSA-7mp4-25j8-hp5q
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[MEDIUM] Sylius has an Open Redirect via Referer Header
PKSA-6vgh-6nsj-96p4 CVE-2026-31819 GHSA-9ffx-f77r-756w
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[MEDIUM] Cross site scripting in sylius/sylius
PKSA-r24p-jzny-v839 CVE-2021-3841 GHSA-hhvr-2q69-4563
Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10
Reported by:
GitHub -
[HIGH] Sylius has a security vulnerability via adjustments API endpoint
PKSA-b1q1-2jf6-pqt9 CVE-2024-40633 GHSA-55rf-8q29-4g43
Affected version: >=1.11.0-alpha.1,<=1.11.16|>=1.10.0-alpha.1,<=1.10.15|<1.9.12|>=1.12.0-alpha.1,<1.12.19|>=1.13.0-alpha.1,<1.13.4
Reported by:
GitHub -
[MEDIUM] Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
PKSA-nsc4-mbdg-1r18 CVE-2024-29376 GHSA-7prj-9ccr-hr3q
Affected version: >=1.11.0-alpha.1,<1.11.17|>=1.10.0-alpha.1,<1.10.16|<1.9.12|>=1.13.0-alpha.1,<1.13.1|>=1.12.0-alpha.1,<1.12.16
Reported by:
GitHub -
[MEDIUM] Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
PKSA-dg69-7wty-b2d6 CVE-2024-34349 GHSA-v2f9-rv6w-vw8r
Affected version: >=1.11.0-alpha.1,<1.11.17|>=1.10.0-alpha.1,<1.10.16|<1.9.12|>=1.13.0-alpha.1,<1.13.1|>=1.12.0-alpha.1,<1.12.16
Reported by:
GitHub -
[MEDIUM] Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius
PKSA-bdq8-12rq-1jxx CVE-2022-24749 GHSA-4qrp-27r3-66fj
Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10
Reported by:
GitHub -
[MEDIUM] Sensitive Information Exposure in Sylius
PKSA-4y6p-d93g-pxdh CVE-2022-24742 GHSA-7563-75j9-6h5p
Affected version: >=1.11,<1.11.2|>=1.10,<1.10.11|<1.9.10
Reported by:
GitHub -
[MEDIUM] Improper Restriction of Rendered UI Layers or Frames in Sylius
PKSA-ftgj-pjx7-dswf CVE-2022-24733 GHSA-4jp3-q2qm-9fmw
Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10
Reported by:
GitHub -
[MEDIUM] List of order ids, number, items total and token value exposed for unauthorized uses via new API
PKSA-g9bh-zy49-c4ys CVE-2021-32720 GHSA-rpxh-vg2x-526v
Affected version: >=1.9.0,<1.9.5
Reported by:
GitHub