Sylius up to 2.0.15/2.1.11/2.2.2 breadcrumbs.html.twig rowRenderer label cross site scripting

Summaryinfo

A vulnerability was found in Sylius up to 2.0.15/2.1.11/2.2.2. It has been rated as problematic. Affected is the function rowRenderer of the file shared/breadcrumbs.html.twig. Performing a manipulation of the argument label results in cross site scripting. This vulnerability is reported as CVE-2026-31823. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

Detailsinfo

A vulnerability classified as problematic has been found in Sylius up to 2.0.15/2.1.11/2.2.2. This affects the function rowRenderer of the file shared/breadcrumbs.html.twig. The manipulation of the argument label with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. The summary by CVE is:

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-31823 since 03/09/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. Additional levels of successful authentication are required for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

Upgrading to version 2.0.16, 2.1.12 or 2.2.3 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Sylius

Version

• 2.0.0
• 2.0.1
• 2.0.2
• 2.0.3
• 2.0.4
• 2.0.5
• 2.0.6
• 2.0.7
• 2.0.8
• 2.0.9
• 2.0.10
• 2.0.11
• 2.0.12
• 2.0.13
• 2.0.14
• 2.0.15
• 2.1.0
• 2.1.1
• 2.1.2
• 2.1.3
• 2.1.4
• 2.1.5
• 2.1.6
• 2.1.7
• 2.1.8
• 2.1.9
• 2.1.10
• 2.1.11
• 2.2.0
• 2.2.1
• 2.2.2

Website

• Product: https://github.com/Sylius/Sylius/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion