CVE-2026-31819

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-31819
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31819.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31819
Aliases
Published
2026-03-10T21:18:59.634Z
Modified
2026-04-10T05:42:09.693156Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L CVSS Calculator
Summary
Sylius has an Open Redirect via Referer Header
Details

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31819.json",
    "cwe_ids": [
        "CWE-601"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/sylius/sylius

Affected ranges

Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
7aa47be3a617f75337d73d245352ea700bc8a1ef
Fixed
111d96b1bea7cb59bc2f7b4c6d35d5cd05872195
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
a5a816f9f1fcb5abd2d42b27801656aa2ae9bf0d
Fixed
d8092f21ee9606b0155231fe892d9d54fc44986e
Database specific 
{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.12"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
6dd3ca9895be7ab7e6cb71f37af2ef66af17cbe0
Fixed
af579b0b6eaa10ea0883fb458484718c80fc96c7
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
57dcd9e53275a880c77d4ec2c4fad9f567f420be
Fixed
904251ad760dfdc4a3ad321144bdb1bade159019
Database specific 
{
    "versions": [
        {
            "introduced": "1.14.0"
        },
        {
            "fixed": "1.14.18"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
c8799bea638c5e4ab07a28f66f628d38d8174b41
Fixed
0b2babf51968a8d27b4ae8dcb9121e222272f006
Database specific 
{
    "versions": [
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.13.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
74dd42a09e50620a5f54f9a01676e003160d9f3a
Fixed
e3d9bd29624b531884e998f1458b5955bbbb0552
Database specific 
{
    "versions": [
        {
            "introduced": "1.12.0"
        },
        {
            "fixed": "1.12.23"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
d8a10279adea6a11039f2aeef37bc2cbc686c971
Fixed
523412eb780f501dd9bcb6f718e65640c606863c
Database specific 
{
    "versions": [
        {
            "introduced": "1.11.0"
        },
        {
            "fixed": "1.11.17"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
a367bc010cbee9fdf491dc76397198231f14ab63
Fixed
82c395a524fff8a732e4f466d0c6bdca48e63a39
Database specific 
{
    "versions": [
        {
            "introduced": "1.10.0"
        },
        {
            "fixed": "1.10.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/sylius
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8da3f314f52152b88433651aab5743c06a6820c8
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.9.12"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.9.0
v1.*
v1.0.0
v1.0.0-alpha.1
v1.0.0-alpha.2
v1.0.0-beta.1
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-rc.1
v1.0.0-rc.2
v1.10.0
v1.10.1
v1.10.12
v1.10.13
v1.10.14
v1.10.15
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.10.6
v1.10.8
v1.10.9
v1.11.0
v1.11.11
v1.11.12
v1.11.13
v1.11.14
v1.11.15
v1.11.16
v1.11.3
v1.11.4
v1.11.5
v1.11.6
v1.11.7
v1.12.0
v1.12.1
v1.12.10
v1.12.11
v1.12.12
v1.12.13
v1.12.14
v1.12.15
v1.12.16
v1.12.17
v1.12.18
v1.12.19
v1.12.2
v1.12.20
v1.12.21
v1.12.22
v1.12.3
v1.12.4
v1.12.5
v1.12.6
v1.12.7
v1.12.8
v1.12.9
v1.13.0
v1.13.1
v1.13.10
v1.13.11
v1.13.12
v1.13.13
v1.13.14
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.13.8
v1.13.9
v1.14.0
v1.14.1
v1.14.10
v1.14.11
v1.14.12
v1.14.13
v1.14.14
v1.14.15
v1.14.16
v1.14.17
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.14.9
v1.2.0-BETA
v1.4.0-BETA.1
v1.6.0-ALPHA.1
v1.6.0-ALPHA.2
v1.7.0-ALPHA.1
v1.7.0-ALPHA.2
v1.9.0
v1.9.0-ALPHA.1
v1.9.0-ALPHA.2
v1.9.0-BETA.1
v1.9.0-BETA.2
v1.9.0-BETA.3
v1.9.0-RC.1
v1.9.0-RC.2
v1.9.1
v1.9.11
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0
v2.2.1
v2.2.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31819.json"