CVE-2026-31821
MEDIUM EPSS 7.9%
Published Mar 10, 20263mo ago · Modified Mar 11, 20263mo ago
6.9 CVSS 4.0
Published Mar 10, 2026 3mo ago
Last Modified Mar 11, 2026 3mo ago
Description
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
7.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-862 Missing Authorization Authorization
Affected Products 3
References 1
- github.com https://github.com/Sylius/Sylius/security/advisories/GHSA-wjmg-4cq5-m8hg
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.