Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-31820

Sylius is an Open Source eCommerce Framework on Symfony. An authenticated Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via #[LiveArg] parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that accepts a resource ID via #[LiveArg] and loads it with ->find() without ownership validation is vulnerable. Checkout address FormComponent (addressFieldUpdated action): Accepts an addressId via #[LiveArg] and loads it without verifying ownership, exposing another user's first name, last name, company, phone number, street, city, postcode, and country. Cart WidgetComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing order total and item count. Cart SummaryComponent (refreshCart action): Accepts a cartId via #[LiveArg] and loads any order directly from the repository, exposing subtotal, discount, shipping cost, taxes (excluded and included), and order total. Since sylius_order contains both active carts (state=cart) and completed orders (state=new/fulfilled) in the same ID space, the cart IDOR exposes data from all orders, not just active carts. The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.8%
CVSS Severity
CVSS v3 Score 6.5
Products affected by CVE-2026-31820
  • Sylius » Sylius » Version: Any
    cpe:2.3:a:sylius:sylius:*
  • Sylius » Sylius » Version: 2.0.0
    cpe:2.3:a:sylius:sylius:2.0.0
  • Sylius » Sylius » Version: 2.0.1
    cpe:2.3:a:sylius:sylius:2.0.1
  • Sylius » Sylius » Version: 2.0.10
    cpe:2.3:a:sylius:sylius:2.0.10
  • Sylius » Sylius » Version: 2.0.11
    cpe:2.3:a:sylius:sylius:2.0.11
  • Sylius » Sylius » Version: 2.0.12
    cpe:2.3:a:sylius:sylius:2.0.12
  • Sylius » Sylius » Version: 2.0.13
    cpe:2.3:a:sylius:sylius:2.0.13
  • Sylius » Sylius » Version: 2.0.2
    cpe:2.3:a:sylius:sylius:2.0.2
  • Sylius » Sylius » Version: 2.0.3
    cpe:2.3:a:sylius:sylius:2.0.3
  • Sylius » Sylius » Version: 2.0.4
    cpe:2.3:a:sylius:sylius:2.0.4
  • Sylius » Sylius » Version: 2.0.5
    cpe:2.3:a:sylius:sylius:2.0.5
  • Sylius » Sylius » Version: 2.0.6
    cpe:2.3:a:sylius:sylius:2.0.6
  • Sylius » Sylius » Version: 2.0.7
    cpe:2.3:a:sylius:sylius:2.0.7
  • Sylius » Sylius » Version: 2.0.8
    cpe:2.3:a:sylius:sylius:2.0.8
  • Sylius » Sylius » Version: 2.0.9
    cpe:2.3:a:sylius:sylius:2.0.9
  • Sylius » Sylius » Version: 2.1.0
    cpe:2.3:a:sylius:sylius:2.1.0
  • Sylius » Sylius » Version: 2.1.1
    cpe:2.3:a:sylius:sylius:2.1.1
  • Sylius » Sylius » Version: 2.1.2
    cpe:2.3:a:sylius:sylius:2.1.2
  • Sylius » Sylius » Version: 2.1.3
    cpe:2.3:a:sylius:sylius:2.1.3
  • Sylius » Sylius » Version: 2.1.4
    cpe:2.3:a:sylius:sylius:2.1.4
  • Sylius » Sylius » Version: 2.1.5
    cpe:2.3:a:sylius:sylius:2.1.5
  • Sylius » Sylius » Version: 2.1.6
    cpe:2.3:a:sylius:sylius:2.1.6


Products
Pricing
Contact Us

Shodan ® - All rights reserved