SCA: security update for sylius/sylius (GHSA-mx4q-xxc9-pf5q)

medium Tenable Cloud Security Plugin ID 438673

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sylius is an Open Source eCommerce Framework on Symfony. An authenticated stored cross-site scripting
(XSS) vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized
entity names being rendered as raw HTML. Shop breadcrumbs (shared/breadcrumbs.html.twig): The breadcrumbs
macro uses the Twig |raw filter on label values. Since taxon names, product names, and ancestor names flow
directly into these labels, a malicious taxon name like <img src=x onerror=alert('XSS')> is rendered and
executed as JavaScript on the storefront. Admin product taxon picker (ProductTaxonTreeController.js): The
rowRenderer method interpolates ${name} directly into a template literal building HTML, allowing script
injection through taxon names in the admin panel. Admin autocomplete fields (Tom Select): Dropdown items
and options render entity names as raw HTML without escaping, allowing XSS through any autocomplete field
displaying entity names. An authenticated administrator can inject arbitrary HTML or JavaScript via entity
names (e.g. taxon name) that is persistently rendered for all users. The issue is fixed in versions:
1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above. (CVE-2026-31823)

Solution

Update the sylius/sylius library and its related packages to version 2.0.16 or later.

See Also

https://github.com/advisories/GHSA-mx4q-xxc9-pf5q

Plugin Details

Severity: Medium

ID: 438673

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/12/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 3.5

Vector: CVSS2#AV:N/AC:L/Au:M/C:P/I:P/A:N

CVSS Score Source: CVE-2026-31823

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2026

Vulnerability Publication Date: 3/10/2026

Reference Information

CVE: CVE-2026-31823

cwe: CWE-79