Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Sylius |
|
No data.
No data.
References
History
Wed, 11 Mar 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 11 Mar 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Sylius
Sylius sylius |
|
| Vendors & Products |
Sylius
Sylius sylius |
Tue, 10 Mar 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above. | |
| Title | Sylius has a DQL Injection via API Order Filters | |
| Weaknesses | CWE-89 CWE-943 |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-03-10T21:33:26.471Z
Updated: 2026-03-11T15:19:28.740Z
Reserved: 2026-03-09T17:41:56.077Z
Link: CVE-2026-31825
Vulnrichment
Updated: 2026-03-11T14:29:20.870Z
NVD
Status : Awaiting Analysis
Published: 2026-03-10T22:16:20.320
Modified: 2026-03-11T13:52:47.683
Link: CVE-2026-31825
Redhat
No data.