CVE-2026-31825

Summary

Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

Affected Software

VendorProductVersion RangeStatus
SyliusSylius>= 2.2.0, < 2.2.3affected
SyliusSylius>= 2.1.0, < 2.1.12affected
SyliusSylius>= 2.0.0, < 2.0.16affected
SyliusSylius>= 1.14.0, < 1.14.18affected
SyliusSylius>= 1.13.0, < 1.13.15affected
SyliusSylius>= 1.12.0, < 1.12.23affected
SyliusSylius>= 1.11.0, < 1.11.17affected
SyliusSylius>= 1.10.0, < 1.10.16affected
SyliusSylius< 1.9.12affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE-943: CWE-943: Improper Neutralization of Special Elements in Data Query Logic

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References