CVE-2026-31825
MEDIUM WAF: High
CVSS 5.3
Published: 2026-03-10
CWE-89
Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sylius | sylius | up to 1.9.12 |
| sylius | sylius | 1.10.0 - 1.10.16 |
| sylius | sylius | 1.11.0 - 1.11.17 |
| sylius | sylius | 1.12.0 - 1.12.23 |
| sylius | sylius | 1.13.0 - 1.13.15 |
| sylius | sylius | 1.14.0 - 1.14.18 |
| sylius | sylius | 2.0.0 - 2.0.16 |
| sylius | sylius | 2.1.0 - 2.1.12 |
| sylius | sylius | 2.2.0 - 2.2.3 |
References
- github.com (Mitigation, Vendor Advisory)