CVE-2026-31823

{"id": "CVE-2026-31823", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2026-03-10T22:16:19.973", "references": [{"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-mx4q-xxc9-pf5q", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above."}, {"lang": "es", "value": "Sylius es un marco de comercio electr\u00f3nico de c\u00f3digo abierto basado en Symfony. Existe una vulnerabilidad de tipo cross-site scripting (XSS) almacenada y autenticada en varios lugares del frontend de la tienda y del panel de administraci\u00f3n debido a que los nombres de las entidades no desinfectados se representan como HTML sin procesar. Migas de pan de la tienda (shared/breadcrumbs.html.twig): la macro de migas de pan utiliza el filtro Twig |raw en los valores de las etiquetas. Dado que los nombres de taxones, los nombres de productos y los nombres de antecesores fluyen directamente a estas etiquetas, un nombre de tax\u00f3n malicioso como se representa y se ejecuta como JavaScript en la tienda. Selector de taxones de productos del administrador (ProductTaxonTreeController.js): El m\u00e9todo rowRenderer interpola ${name} directamente en una plantilla literal que crea HTML, lo que permite la inyecci\u00f3n de scripts a trav\u00e9s de los nombres de taxones en el panel de administraci\u00f3n. Campos de autocompletado del administrador (Tom Select): Los elementos y opciones desplegables representan los nombres de las entidades como HTML sin procesar sin escapar, lo que permite XSS a trav\u00e9s de cualquier campo de autocompletado que muestre nombres de entidades. Un administrador autenticado puede inyectar HTML o JavaScript arbitrario a trav\u00e9s de nombres de entidades (por ejemplo, nombre de tax\u00f3n) que se representan de forma persistente para todos los usuarios. El problema se ha solucionado en las versiones: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 y superiores."}], "lastModified": "2026-03-11T19:31:00.943", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DA9449ED-A73A-4D16-A464-DBCBE24CA6A6", "versionEndExcluding": "2.0.16", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F45888BF-720D-4B78-BA7D-ED7E5E091A8C", "versionEndExcluding": "2.1.12", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A2540B0-56B9-4B15-9876-BE908A80BB0A", "versionEndExcluding": "2.2.3", "versionStartIncluding": "2.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}