{"id":"CVE-2026-31825","summary":"Sylius has a DQL Injection via API Order Filters","details":"Sylius is an Open Source eCommerce Framework on Symfony. Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine's orderBy() without validation. An attacker can inject arbitrary DQL. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.","aliases":["GHSA-xcwx-r2gw-w93m"],"modified":"2026-04-10T05:42:11.041Z","published":"2026-03-10T21:33:26.471Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31825.json","cwe_ids":["CWE-89","CWE-943"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31825.json"},{"type":"ADVISORY","url":"https://github.com/Sylius/Sylius/security/advisories/GHSA-xcwx-r2gw-w93m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31825"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"7aa47be3a617f75337d73d245352ea700bc8a1ef"},{"fixed":"111d96b1bea7cb59bc2f7b4c6d35d5cd05872195"}],"database_specific":{"versions":[{"introduced":"2.2.0"},{"fixed":"2.2.3"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"a5a816f9f1fcb5abd2d42b27801656aa2ae9bf0d"},{"fixed":"d8092f21ee9606b0155231fe892d9d54fc44986e"}],"database_specific":{"versions":[{"introduced":"2.1.0"},{"fixed":"2.1.12"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"6dd3ca9895be7ab7e6cb71f37af2ef66af17cbe0"},{"fixed":"af579b0b6eaa10ea0883fb458484718c80fc96c7"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.0.16"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"57dcd9e53275a880c77d4ec2c4fad9f567f420be"},{"fixed":"904251ad760dfdc4a3ad321144bdb1bade159019"}],"database_specific":{"versions":[{"introduced":"1.14.0"},{"fixed":"1.14.18"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"c8799bea638c5e4ab07a28f66f628d38d8174b41"},{"fixed":"0b2babf51968a8d27b4ae8dcb9121e222272f006"}],"database_specific":{"versions":[{"introduced":"1.13.0"},{"fixed":"1.13.15"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"74dd42a09e50620a5f54f9a01676e003160d9f3a"},{"fixed":"e3d9bd29624b531884e998f1458b5955bbbb0552"}],"database_specific":{"versions":[{"introduced":"1.12.0"},{"fixed":"1.12.23"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"d8a10279adea6a11039f2aeef37bc2cbc686c971"},{"fixed":"523412eb780f501dd9bcb6f718e65640c606863c"}],"database_specific":{"versions":[{"introduced":"1.11.0"},{"fixed":"1.11.17"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"a367bc010cbee9fdf491dc76397198231f14ab63"},{"fixed":"82c395a524fff8a732e4f466d0c6bdca48e63a39"}],"database_specific":{"versions":[{"introduced":"1.10.0"},{"fixed":"1.10.16"}]}},{"type":"GIT","repo":"https://github.com/sylius/sylius","events":[{"introduced":"0"},{"fixed":"8da3f314f52152b88433651aab5743c06a6820c8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.9.12"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.19.0","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v0.9.0","v1.0.0","v1.0.0-alpha.1","v1.0.0-alpha.2","v1.0.0-beta.1","v1.0.0-beta.2","v1.0.0-beta.3","v1.0.0-rc.1","v1.0.0-rc.2","v1.10.0","v1.10.1","v1.10.12","v1.10.13","v1.10.14","v1.10.15","v1.10.2","v1.10.3","v1.10.4","v1.10.5","v1.10.6","v1.10.8","v1.10.9","v1.11.0","v1.11.11","v1.11.12","v1.11.13","v1.11.14","v1.11.15","v1.11.16","v1.11.3","v1.11.4","v1.11.5","v1.11.6","v1.11.7","v1.12.0","v1.12.1","v1.12.10","v1.12.11","v1.12.12","v1.12.13","v1.12.14","v1.12.15","v1.12.16","v1.12.17","v1.12.18","v1.12.19","v1.12.2","v1.12.20","v1.12.21","v1.12.22","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.12.8","v1.12.9","v1.13.0","v1.13.1","v1.13.10","v1.13.11","v1.13.12","v1.13.13","v1.13.14","v1.13.2","v1.13.3","v1.13.4","v1.13.5","v1.13.6","v1.13.7","v1.13.8","v1.13.9","v1.14.0","v1.14.1","v1.14.10","v1.14.11","v1.14.12","v1.14.13","v1.14.14","v1.14.15","v1.14.16","v1.14.17","v1.14.2","v1.14.3","v1.14.4","v1.14.5","v1.14.6","v1.14.7","v1.14.8","v1.14.9","v1.2.0-BETA","v1.4.0-BETA.1","v1.6.0-ALPHA.1","v1.6.0-ALPHA.2","v1.7.0-ALPHA.1","v1.7.0-ALPHA.2","v1.9.0","v1.9.0-ALPHA.1","v1.9.0-ALPHA.2","v1.9.0-BETA.1","v1.9.0-BETA.2","v1.9.0-BETA.3","v1.9.0-RC.1","v1.9.0-RC.2","v1.9.1","v1.9.11","v1.9.2","v1.9.3","v1.9.4","v1.9.5","v1.9.6","v1.9.7","v1.9.8","v1.9.9","v2.0.0","v2.0.1","v2.0.10","v2.0.11","v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.1","v2.1.10","v2.1.11","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31825.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}