pkg:Packagist/sylius/sylius

21 total CVEsHIGH3MEDIUM12LOW1

✅ Check your installed version

All known vulnerabilities

  • HIGH8.2CVE-2026-31824Sylius has a Promotion Usage Limit Bypass via Race Condition
    from 0, < 1.9.12
  • HIGH7.5CVE-2024-40633Sylius has a security vulnerability via adjustments API endpoint
    >= 1.12.0-alpha.1, < 1.12.19
  • HIGH7.1CVE-2022-24743Insufficient Session Expiration in Sylius
    >= 1.10.0, < 1.10.11
  • MEDIUM6.1CVE-2022-24749Improper sanitize of SVG files during content upload ('Cross-site Scripting') in sylius/sylius
    from 0, < 1.9.10
  • MEDIUM6.1CVE-2022-24733Improper Restriction of Rendered UI Layers or Frames in Sylius
    from 0, < 1.9.10
  • MEDIUM5.3CVE-2026-31825Sylius has a DQL Injection via API Order Filters
    from 0, < 1.9.12
  • MEDIUM5.3CVE-2021-32720List of order ids, number, items total and token value exposed for unauthorized uses via new API
    >= 1.9.0, < 1.9.5
  • MEDIUM5.0CVE-2022-24742Sensitive Information Exposure in Sylius
    from 0, < 1.9.10
  • MEDIUM4.8CVE-2026-31823Sylius Vulnerable to Authenticated Stored XSS
    >= 2.0.0, < 2.0.16
  • MEDIUM4.8CVE-2024-34349Sylius potentially vulnerable to Cross Site Scripting via "Name" field (Taxons, Products, Options, Variants) in Admin Panel
    from 0, < 1.9.12
  • MEDIUM4.8CVE-2019-12186XSS injection in the Grid component of Sylius
    >= 1.0.0, < 1.1.18
  • MEDIUM4.4CVE-2020-5218Ability to switch channels via GET parameter enabled in production environments
    from 0, < 1.3.16
  • MEDIUM4.4CVE-2020-5220Ability to expose data in Sylius by using an unintended serialisation group
    from 0, < 1.3.12
  • MEDIUM4.3CVE-2020-15245Ability to switch customer email address on account detail page and stay verified
    >= 1.7.0, < 1.7.9
  • MEDIUM4.1CVE-2021-3841Cross site scripting in sylius/sylius
    from 0, < 1.9.10
  • LOW3.5CVE-2019-16768Internal exception message exposure for login action in Sylius
    from 0, < 1.3.14
  • CVE-2026-31822Sylius has a XSS vulnerability in checkout login form
    >= 2.0.0, < 2.0.16
  • CVE-2026-31821Sylius is Missing Authorization in API v2 Add Item Endpoint
    >= 2.0.0, < 2.0.16
  • CVE-2026-31820Sylius affected by IDOR in Cart and Checkout LiveComponents
    >= 2.0.0, < 2.0.16
  • CVE-2026-31819Sylius has an Open Redirect via Referer Header
    from 0, < 1.9.12
  • CVE-2024-29376Sylius has potential Cross Site Scripting vulnerability via the "Province" field in the Checkout and Address Book
    from 0, < 1.9.12