CVE-2026-31821
- Source
- https://cve.org/CVERecord?id=CVE-2026-31821
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31821.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-31821
- Aliases
- Published
- 2026-03-10T21:25:20.368Z
- Modified
- 2026-04-10T05:42:09.175052Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Sylius is Missing Authorization in API v2 Add Item Endpoint
- Details
-
Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue can add arbitrary items to another customer's cart. The endpoint returns the full cart representation in the response (HTTP 201). The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31821.json", "cwe_ids": [ "CWE-862" ], "cna_assigner": "GitHub_M" }- References