sylius/sylius Security Advisories for v0.1.0 (12)
-
[MEDIUM] Sylius has a DQL Injection via API Order Filters
PKSA-6fr5-nks6-h5j2 CVE-2026-31825 GHSA-xcwx-r2gw-w93m
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[HIGH] Sylius has a Promotion Usage Limit Bypass via Race Condition
PKSA-xqwf-3qbb-njd6 CVE-2026-31824 GHSA-7mp4-25j8-hp5q
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[MEDIUM] Sylius has an Open Redirect via Referer Header
PKSA-6vgh-6nsj-96p4 CVE-2026-31819 GHSA-9ffx-f77r-756w
Affected version: >=2.2.0,<=2.2.2|>=2.1.0,<=2.1.11|>=2.0.0,<=2.0.15|>=1.14.0,<=1.14.17|>=1.13.0,<=1.13.14|>=1.12.0,<=1.12.22|>=1.11.0,<=1.11.16|>=1.10.0,<=1.10.15|<=1.9.11
Reported by:
GitHub -
[MEDIUM] Cross site scripting in sylius/sylius
PKSA-r24p-jzny-v839 CVE-2021-3841 GHSA-hhvr-2q69-4563
Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10
Reported by:
GitHub -
[HIGH] Sylius has a security vulnerability via adjustments API endpoint
PKSA-b1q1-2jf6-pqt9 CVE-2024-40633 GHSA-55rf-8q29-4g43
Affected version: >=1.11.0-alpha.1,<=1.11.16|>=1.10.0-alpha.1,<=1.10.15|<1.9.12|>=1.12.0-alpha.1,<1.12.19|>=1.13.0-alpha.1,<1.13.4
Reported by:
GitHub -
[MEDIUM] Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
PKSA-nsc4-mbdg-1r18 CVE-2024-29376 GHSA-7prj-9ccr-hr3q
Affected version: >=1.11.0-alpha.1,<1.11.17|>=1.10.0-alpha.1,<1.10.16|<1.9.12|>=1.13.0-alpha.1,<1.13.1|>=1.12.0-alpha.1,<1.12.16
Reported by:
GitHub -
[MEDIUM] Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
PKSA-dg69-7wty-b2d6 CVE-2024-34349 GHSA-v2f9-rv6w-vw8r
Affected version: >=1.11.0-alpha.1,<1.11.17|>=1.10.0-alpha.1,<1.10.16|<1.9.12|>=1.13.0-alpha.1,<1.13.1|>=1.12.0-alpha.1,<1.12.16
Reported by:
GitHub -
[MEDIUM] Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius
PKSA-bdq8-12rq-1jxx CVE-2022-24749 GHSA-4qrp-27r3-66fj
Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10
Reported by:
GitHub -
[MEDIUM] Sensitive Information Exposure in Sylius
PKSA-4y6p-d93g-pxdh CVE-2022-24742 GHSA-7563-75j9-6h5p
Affected version: >=1.11,<1.11.2|>=1.10,<1.10.11|<1.9.10
Reported by:
GitHub -
[MEDIUM] Improper Restriction of Rendered UI Layers or Frames in Sylius
PKSA-ftgj-pjx7-dswf CVE-2022-24733 GHSA-4jp3-q2qm-9fmw
Affected version: >=1.11.0,<1.11.2|>=1.10.0,<1.10.11|<1.9.10
Reported by:
GitHub -
[LOW] Ability to switch channels via GET parameter enabled in production environments
PKSA-3b3k-ptfz-1wwy CVE-2020-5218 GHSA-prg5-hg25-8grq
Affected version: >=1.6.0,<1.6.5|>=1.5,<1.5.9|>=1.4.0,<1.4.12|<1.3.16
Reported by:
GitHub -
[LOW] Internal exception message exposure for login action in Sylius
PKSA-5fvz-8hqw-qw9z CVE-2019-16768 GHSA-3r8j-pmch-5j2h
Affected version: >=1.6.0,<1.6.3|>=1.5.0,<1.5.7|>=1.4.0,<1.4.10|<1.3.14
Reported by:
GitHub