SCA: security update for sylius/sylius (GHSA-2xc6-348p-c2x6)

high Tenable Self-Hosted Container Security Plugin ID 438636

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference
(IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via
#[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully
user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without
ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts
an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name,
last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart
action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order
total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and
loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded
and included), and order total. Since sylius_order contains both active carts (state=cart) and completed
orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just
active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above. (CVE-2026-31820)

Solution

Update the sylius/sylius library and its related packages to version 2.0.16 or later.

See Also

https://github.com/advisories/GHSA-2xc6-348p-c2x6

Plugin Details

Severity: High

ID: 438636

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/11/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2026-31820

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 4.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2026

Vulnerability Publication Date: 3/10/2026

Reference Information

CVE: CVE-2026-31820

cwe: CWE-639