sylius/sylius Security Advisories for v1.12.3 (6)
-
[MEDIUM] Sylius has a DQL Injection via API Order Filters
PKSA-6fr5-nks6-h5j2 CVE-2026-31825 GHSA-xcwx-r2gw-w93m
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[HIGH] Sylius has a Promotion Usage Limit Bypass via Race Condition
PKSA-xqwf-3qbb-njd6 CVE-2026-31824 GHSA-7mp4-25j8-hp5q
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[MEDIUM] Sylius has an Open Redirect via Referer Header
PKSA-6vgh-6nsj-96p4 CVE-2026-31819 GHSA-9ffx-f77r-756w
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[HIGH] Sylius has a security vulnerability via adjustments API endpoint
PKSA-b1q1-2jf6-pqt9 CVE-2024-40633 GHSA-55rf-8q29-4g43
Affected version: >=1.11.0-alpha.1,<=1.11.16|>=1.10.0-alpha.1,<=1.10.15|<1.9.12|>=1.12.0-alpha.1,<1.12.19|>=1.13.0-alpha.1,<1.13.4
Reported by:
GitHub -
[MEDIUM] Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
PKSA-nsc4-mbdg-1r18 CVE-2024-29376 GHSA-7prj-9ccr-hr3q
Affected version: >=1.11.0-alpha.1,<1.11.17|>=1.10.0-alpha.1,<1.10.16|<1.9.12|>=1.13.0-alpha.1,<1.13.1|>=1.12.0-alpha.1,<1.12.16
Reported by:
GitHub -
[MEDIUM] Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
PKSA-dg69-7wty-b2d6 CVE-2024-34349 GHSA-v2f9-rv6w-vw8r
Affected version: >=1.11.0-alpha.1,<1.11.17|>=1.10.0-alpha.1,<1.10.16|<1.9.12|>=1.13.0-alpha.1,<1.13.1|>=1.12.0-alpha.1,<1.12.16
Reported by:
GitHub