CVE-2026-31821

MEDIUM EPSS 7.9%
Published Mar 10, 20263mo ago · Modified Mar 11, 20263mo ago
6.9 CVSS 4.0
Medium
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Mar 11, 2026 3mo ago

Description

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
7.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 3

VendorProductVersionRange
syliussylius*≥2.0.0  –  <2.0.16
syliussylius*≥2.1.0  –  <2.1.12
syliussylius*≥2.2.0  –  <2.2.3

References 1

  • github.com https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg
    MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.