CVE-2026-31825

EUVD-2026-10923
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
syliussylius
𝑥
< 1.9.12
syliussylius
1.10.0 ≤
𝑥
< 1.10.16
syliussylius
1.11.0 ≤
𝑥
< 1.11.17
syliussylius
1.12.0 ≤
𝑥
< 1.12.23
syliussylius
1.13.0 ≤
𝑥
< 1.13.15
syliussylius
1.14.0 ≤
𝑥
< 1.14.18
syliussylius
2.0.0 ≤
𝑥
< 2.0.16
syliussylius
2.1.0 ≤
𝑥
< 2.1.12
syliussylius
2.2.0 ≤
𝑥
< 2.2.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m