CVE-2026-31822
Sylius has a XSS vulnerability in checkout login form
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Sylius is an Open Source eCommerce Framework on Symfony. A cross-site scripting (XSS) vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be parsed and executed by the browser. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
| CWE | CWE-79 |
| Vendor | sylius |
| Product | sylius |
| Published | Mar 10, 2026 |
| Last Updated | Mar 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for sylius sylius
Be the first to know when new unknown vulnerabilities affecting sylius sylius are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Sylius / Sylius
>= 2.2.0, < 2.2.3 >= 2.1.0, < 2.1.12 >= 2.0.0, < 2.0.16