CVE-2026-31825: Sylius has a DQL Injection via API Order Filters

March 11, 2026

Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine’s orderBy() without validation. An attacker can inject arbitrary DQL:

GET /api/v2/shop/products?order[price]=ASC,%20variant.code%20DESC

References

Code Behaviors & Features

Detect and mitigate CVE-2026-31825 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.9.12, all versions starting from 1.10.0 before 1.10.16, all versions starting from 1.11.0 before 1.11.17, all versions starting from 1.12.0 before 1.12.23, all versions starting from 1.13.0 before 1.13.15, all versions starting from 1.14.0 before 1.14.18, all versions starting from 2.0.0 before 2.0.16, all versions starting from 2.1.0 before 2.1.12, all versions starting from 2.2.0 before 2.2.3