Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/738542?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/738542?format=api", "purl": "pkg:composer/sylius/sylius@1.11.15", "type": "composer", "namespace": "sylius", "name": "sylius", "version": "1.11.15", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.11.17", "latest_non_vulnerable_version": "2.2.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55533?format=api", "vulnerability_id": "VCID-3hya-uu5q-q7gs", "summary": "Sylius has a security vulnerability via adjustments API endpoint\nA security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-40633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00239", "scoring_system": "epss", "scoring_elements": "0.47238", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-40633" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://github.com/Sylius/Sylius/commit/d833b2871caa3b8d1f0a8207378bb778f0b90464", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius/commit/d833b2871caa3b8d1f0a8207378bb778f0b90464" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40633", "reference_id": "CVE-2024-40633", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40633" }, { "reference_url": "https://github.com/advisories/GHSA-55rf-8q29-4g43", "reference_id": "GHSA-55rf-8q29-4g43", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-55rf-8q29-4g43" }, { "reference_url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43", "reference_id": "GHSA-55rf-8q29-4g43", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-17T19:06:37Z/" } ], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74743?format=api", "purl": "pkg:composer/sylius/sylius@1.11.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/82199?format=api", "purl": "pkg:composer/sylius/sylius@1.12.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" }, { "vulnerability": "VCID-vrea-7ept-tbas" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.12.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/82200?format=api", "purl": "pkg:composer/sylius/sylius@1.13.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" }, { "vulnerability": "VCID-vrea-7ept-tbas" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.13.4" } ], "aliases": [ "CVE-2024-40633", "GHSA-55rf-8q29-4g43" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3hya-uu5q-q7gs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50847?format=api", "vulnerability_id": "VCID-6ep3-u13e-2kc8", "summary": "Sylius has an Open Redirect via Referer Header\n`CurrencySwitchController::switchAction()`, `ImpersonateUserController::impersonateAction()` and `StorageBasedLocaleSwitcher::handle()` use the HTTP Referer header directly when redirecting.\n\nThe attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain.\n\nThe severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat.\n\nAffected classes:\n- `CurrencySwitchController::switchAction()` - public\n- `StorageBasedLocaleSwitcher::handle()` - public, used in locale switching without having locale in the `url`\n- `ImpersonateUserController::impersonateAction()` - admin-only", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31819", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17591", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31819" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31819", "reference_id": "CVE-2026-31819", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31819" }, { "reference_url": "https://github.com/advisories/GHSA-9ffx-f77r-756w", "reference_id": "GHSA-9ffx-f77r-756w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ffx-f77r-756w" }, { "reference_url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-9ffx-f77r-756w", "reference_id": "GHSA-9ffx-f77r-756w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:35Z/" } ], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-9ffx-f77r-756w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74743?format=api", "purl": "pkg:composer/sylius/sylius@1.11.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/74744?format=api", "purl": "pkg:composer/sylius/sylius@1.12.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.12.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/74745?format=api", "purl": "pkg:composer/sylius/sylius@1.13.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.13.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/74746?format=api", "purl": "pkg:composer/sylius/sylius@1.14.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.14.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/74690?format=api", "purl": "pkg:composer/sylius/sylius@2.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74691?format=api", "purl": "pkg:composer/sylius/sylius@2.1.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/74692?format=api", "purl": "pkg:composer/sylius/sylius@2.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.2.3" } ], "aliases": [ "CVE-2026-31819", "GHSA-9ffx-f77r-756w" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6ep3-u13e-2kc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50870?format=api", "vulnerability_id": "VCID-kga1-jcjw-mfgn", "summary": "Sylius has a Promotion Usage Limit Bypass via Race Condition\nA Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects three independent limits:\n\n1. **Promotion usage limit** - the global `used` counter on `Promotion` entities\n2. **Coupon usage limit** - the global `used` counter on `PromotionCoupon` entities\n3. **Coupon per-customer usage limit** - the per-customer redemption count on `PromotionCoupon` entities\n\nIn all three cases, the eligibility check reads the `used` counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage increment in `OrderPromotionsUsageModifier` happens later during order completion — with no database-level locking or atomic operations between the two phases.\n\nBecause Doctrine flushes an absolute value (`SET used = 1`) rather than an atomic increment (`SET used = used + 1`), and because the affected entities lack optimistic locking, concurrent requests all read the same stale usage counts and pass the eligibility checks simultaneously.\n\nAn attacker can exploit this by preparing multiple carts with the same limited-use promotion or coupon and firing simultaneous `PATCH /api/v2/shop/orders/{token}/complete` requests. All requests pass the usage limit checks and complete successfully, allowing a single-use promotion or coupon to be redeemed an arbitrary number of times. The per-customer limit can be bypassed in the same way by a single customer completing multiple orders concurrently. No authentication is required to exploit this vulnerability.\n\nThis may lead to direct financial loss through unlimited redemption of limited-use promotions and discount coupons.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31824", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00067", "scoring_system": "epss", "scoring_elements": "0.20937", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31824" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31824", "reference_id": "CVE-2026-31824", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31824" }, { "reference_url": "https://github.com/advisories/GHSA-7mp4-25j8-hp5q", "reference_id": "GHSA-7mp4-25j8-hp5q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7mp4-25j8-hp5q" }, { "reference_url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7mp4-25j8-hp5q", "reference_id": "GHSA-7mp4-25j8-hp5q", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T15:53:30Z/" } ], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7mp4-25j8-hp5q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74743?format=api", "purl": "pkg:composer/sylius/sylius@1.11.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/74744?format=api", "purl": "pkg:composer/sylius/sylius@1.12.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.12.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/74745?format=api", "purl": "pkg:composer/sylius/sylius@1.13.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.13.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/74746?format=api", "purl": "pkg:composer/sylius/sylius@1.14.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.14.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/74690?format=api", "purl": "pkg:composer/sylius/sylius@2.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74691?format=api", "purl": "pkg:composer/sylius/sylius@2.1.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/74692?format=api", "purl": "pkg:composer/sylius/sylius@2.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.2.3" } ], "aliases": [ "CVE-2026-31824", "GHSA-7mp4-25j8-hp5q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kga1-jcjw-mfgn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54772?format=api", "vulnerability_id": "VCID-mvs8-u1c4-67hm", "summary": "Sylius has potential Cross Site Scripting vulnerability via the \"Province\" field in the Checkout and Address Book\nThere is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-29376", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32518", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-29376" }, { "reference_url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-22T23:48:15Z/" } ], "url": "https://github.com/r2tunes/Reports/blob/main/Sylius.md" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://github.com/Sylius/Sylius/commit/fb0ecb275747e364f1d4744ed8605c57f9bd8a80", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius/commit/fb0ecb275747e364f1d4744ed8605c57f9bd8a80" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29376", "reference_id": "CVE-2024-29376", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29376" }, { "reference_url": "https://github.com/advisories/GHSA-7prj-9ccr-hr3q", "reference_id": "GHSA-7prj-9ccr-hr3q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7prj-9ccr-hr3q" }, { "reference_url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7prj-9ccr-hr3q", "reference_id": "GHSA-7prj-9ccr-hr3q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-7prj-9ccr-hr3q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74743?format=api", "purl": "pkg:composer/sylius/sylius@1.11.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/81238?format=api", "purl": "pkg:composer/sylius/sylius@1.12.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hya-uu5q-q7gs" }, { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" }, { "vulnerability": "VCID-vrea-7ept-tbas" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.12.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/81239?format=api", "purl": "pkg:composer/sylius/sylius@1.13.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hya-uu5q-q7gs" }, { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" }, { "vulnerability": "VCID-vrea-7ept-tbas" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.13.1" } ], "aliases": [ "CVE-2024-29376", "GHSA-7prj-9ccr-hr3q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mvs8-u1c4-67hm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50858?format=api", "vulnerability_id": "VCID-t3xh-2paj-hbg4", "summary": "Sylius has a DQL Injection via API Order Filters\nSylius API filters `ProductPriceOrderFilter` and `TranslationOrderNameAndLocaleFilter` pass user-supplied order direction values directly to Doctrine's `orderBy()` without validation. An attacker can inject arbitrary DQL:\n\n```\nGET /api/v2/shop/products?order[price]=ASC,%20variant.code%20DESC\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31825", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00047", "scoring_system": "epss", "scoring_elements": "0.1519", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31825" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31825", "reference_id": "CVE-2026-31825", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31825" }, { "reference_url": "https://github.com/advisories/GHSA-xcwx-r2gw-w93m", "reference_id": "GHSA-xcwx-r2gw-w93m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xcwx-r2gw-w93m" }, { "reference_url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m", "reference_id": "GHSA-xcwx-r2gw-w93m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:29:15Z/" } ], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74743?format=api", "purl": "pkg:composer/sylius/sylius@1.11.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/74744?format=api", "purl": "pkg:composer/sylius/sylius@1.12.23", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.12.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/74745?format=api", "purl": "pkg:composer/sylius/sylius@1.13.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.13.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/74746?format=api", "purl": "pkg:composer/sylius/sylius@1.14.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.14.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/74690?format=api", "purl": "pkg:composer/sylius/sylius@2.0.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.0.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/74691?format=api", "purl": "pkg:composer/sylius/sylius@2.1.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/74692?format=api", "purl": "pkg:composer/sylius/sylius@2.2.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.2.3" } ], "aliases": [ "CVE-2026-31825", "GHSA-xcwx-r2gw-w93m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t3xh-2paj-hbg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56594?format=api", "vulnerability_id": "VCID-vrea-7ept-tbas", "summary": "Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts\n## Withdrawn Advisory\nThis advisory has been withdrawn because it is not a vulnerability in the Sylius framework. This link is maintained to preserve external references.\n\n## Original Description\nA rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-57610", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.09773", "scoring_system": "epss", "scoring_elements": "0.93108", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-57610" }, { "reference_url": "https://github.com/github/advisory-database/pull/5254", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/github/advisory-database/pull/5254" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-07T15:57:40Z/" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://sylius.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sylius.com" }, { "reference_url": "https://github.com/nca785/CVE-2024-57610", "reference_id": "CVE-2024-57610", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-07T15:57:40Z/" } ], "url": "https://github.com/nca785/CVE-2024-57610" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57610", "reference_id": "CVE-2024-57610", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57610" }, { "reference_url": "https://github.com/advisories/GHSA-2hjh-495w-hmxc", "reference_id": "GHSA-2hjh-495w-hmxc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2hjh-495w-hmxc" }, { "reference_url": "https://sylius.com/", "reference_id": "sylius.com", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-07T15:57:40Z/" } ], "url": "https://sylius.com/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/800376?format=api", "purl": "pkg:composer/sylius/sylius@2.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-15s8-g3t6-vbg4" }, { "vulnerability": "VCID-33hq-p2xm-nqfb" }, { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-e88w-vndp-cbcb" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-s53m-jutw-d7gx" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@2.0.3" } ], "aliases": [ "CVE-2024-57610", "GHSA-2hjh-495w-hmxc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vrea-7ept-tbas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54771?format=api", "vulnerability_id": "VCID-zx3s-y6eu-aqak", "summary": "Sylius potentially vulnerable to Cross Site Scripting via \"Name\" field (Taxons, Products, Options, Variants) in Admin Panel\nThere is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into `Name` field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34349", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00068", "scoring_system": "epss", "scoring_elements": "0.21289", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34349" }, { "reference_url": "https://github.com/Sylius/Sylius", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Sylius/Sylius" }, { "reference_url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-10T18:30:14Z/" } ], "url": "https://github.com/Sylius/Sylius/commit/ba4b66da5af88cdb1bba6174de8bdf42f4853e12" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34349", "reference_id": "CVE-2024-34349", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34349" }, { "reference_url": "https://github.com/advisories/GHSA-v2f9-rv6w-vw8r", "reference_id": "GHSA-v2f9-rv6w-vw8r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2f9-rv6w-vw8r" }, { "reference_url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r", "reference_id": "GHSA-v2f9-rv6w-vw8r", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-10T18:30:14Z/" } ], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-v2f9-rv6w-vw8r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74743?format=api", "purl": "pkg:composer/sylius/sylius@1.11.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/81238?format=api", "purl": "pkg:composer/sylius/sylius@1.12.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hya-uu5q-q7gs" }, { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" }, { "vulnerability": "VCID-vrea-7ept-tbas" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.12.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/81239?format=api", "purl": "pkg:composer/sylius/sylius@1.13.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3hya-uu5q-q7gs" }, { "vulnerability": "VCID-6ep3-u13e-2kc8" }, { "vulnerability": "VCID-kga1-jcjw-mfgn" }, { "vulnerability": "VCID-t3xh-2paj-hbg4" }, { "vulnerability": "VCID-vrea-7ept-tbas" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.13.1" } ], "aliases": [ "CVE-2024-34349", "GHSA-v2f9-rv6w-vw8r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zx3s-y6eu-aqak" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/sylius/sylius@1.11.15" }