CWE-841
AllowedImproper Enforcement of Behavioral Workflow
Abstraction: Class · Status: Incomplete
The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
87 vulnerabilities reference this CWE, most recent first.
GHSA-2J82-37XG-F9WP
Vulnerability from github – Published: 2026-06-08 15:33 – Updated: 2026-06-08 15:33Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.
In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.
A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.
This issue affects gun: from 2.0.0 before 2.4.0.
{
"affected": [],
"aliases": [
"CVE-2026-43974"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-08T15:16:46Z",
"severity": "HIGH"
},
"details": "Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response.\n\nIn gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode.\n\nA malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM.\n\nThis issue affects gun: from 2.0.0 before 2.4.0.",
"id": "GHSA-2j82-37xg-f9wp",
"modified": "2026-06-08T15:33:00Z",
"published": "2026-06-08T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43974"
},
{
"type": "WEB",
"url": "https://github.com/ninenines/gun/commit/5b48068c29ce5e112cb149b5857c7d4dc319a81b"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-43974.html"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43974"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3J3R-8QHC-763H
Vulnerability from github – Published: 2024-10-09 18:31 – Updated: 2024-10-12 00:30A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products.
{
"affected": [],
"aliases": [
"CVE-2024-46307"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T17:15:19Z",
"severity": "HIGH"
},
"details": "A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products.",
"id": "GHSA-3j3r-8qhc-763h",
"modified": "2024-10-12T00:30:47Z",
"published": "2024-10-09T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46307"
},
{
"type": "WEB",
"url": "https://gitee.com/sparkshop/sparkshop"
},
{
"type": "WEB",
"url": "https://github.com/Yllxx03/CVE/tree/main/CVE-2024-46307"
},
{
"type": "WEB",
"url": "http://sparkshop.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3WQR-83X4-348R
Vulnerability from github – Published: 2026-03-27 18:31 – Updated: 2026-03-27 21:31A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock.
{
"affected": [],
"aliases": [
"CVE-2026-30574"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-27T17:16:28Z",
"severity": "HIGH"
},
"details": "A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock.",
"id": "GHSA-3wqr-83x4-348r",
"modified": "2026-03-27T21:31:35Z",
"published": "2026-03-27T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30574"
},
{
"type": "WEB",
"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Pharmacy-Product-Management-System/Logic-AddSales-Overselling.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4H2C-C5G9-52GG
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow.
{
"affected": [],
"aliases": [
"CVE-2025-36333"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T21:16:29Z",
"severity": "MODERATE"
},
"details": "IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 could allow an authenticated user to perform unauthorized actions due to the improper enforcement of behavioral workflow.",
"id": "GHSA-4h2c-c5g9-52gg",
"modified": "2026-06-30T21:31:45Z",
"published": "2026-06-30T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36333"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7277801"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-52VV-5WF4-FGHJ
Vulnerability from github – Published: 2026-03-04 00:30 – Updated: 2026-03-04 15:30Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
{
"affected": [],
"aliases": [
"CVE-2026-3130"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T22:16:29Z",
"severity": "CRITICAL"
},
"details": "Improper Enforcement of Behavioral Controls in\u00a0Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.",
"id": "GHSA-52vv-5wf4-fghj",
"modified": "2026-03-04T15:30:34Z",
"published": "2026-03-04T00:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3130"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2026-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5597-7RMH-97Q5
Vulnerability from github – Published: 2026-07-09 21:03 – Updated: 2026-07-09 21:03Impact
A user opens the cart page in the browser. In the background, the order gets completed, e.g. an admin changes the status, or the user finalizes payment in another tab. The browser still displays the old cart: the LiveComponent is unaware the underlying order state has changed.
If the user then:
- clears the cart →
clearCart()callsmanager->remove()on the completed order: the order is permanently deleted from the database; - removes a product →
removeItem()mutates an item on the completed order; - changes quantity →
saveCart()overwrites data on the completed order.
In all cases, the customer's order data is irreversibly corrupted or lost, even though the order has already been placed and paid for. The same vector can be triggered deliberately by an authenticated customer (keep the cart page open, complete checkout in another tab, then modify the "cart" to add quantity beyond what was paid for).
Patches
The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above.
Workarounds
If users cannot update Sylius immediately, they should create a patched copy of the affected class in their application's src/ directory and override the Sylius service definition to use it.
Step 1. Create src/Twig/Component/Cart/FormComponent.php
<?php
declare(strict_types=1);
namespace App\Twig\Component\Cart;
use Doctrine\Persistence\ObjectManager;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceFormComponentTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\OrderCheckoutStates;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Order\SyliusCartEvents;
use Sylius\Resource\Model\ResourceInterface;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\EventDispatcher\GenericEvent;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\UX\LiveComponent\Attribute\LiveAction;
use Symfony\UX\LiveComponent\Attribute\LiveArg;
use Symfony\UX\LiveComponent\Attribute\PreReRender;
use Symfony\UX\LiveComponent\ComponentToolsTrait;
class FormComponent
{
use ComponentToolsTrait;
/** @use ResourceFormComponentTrait<OrderInterface> */
use ResourceFormComponentTrait;
use TemplatePropTrait;
public const SYLIUS_SHOP_CART_CHANGED = 'sylius:shop:cart_changed';
public const SYLIUS_SHOP_CART_CLEARED = 'sylius:shop:cart_cleared';
public bool $shouldSaveCart = true;
/** @param OrderRepositoryInterface<OrderInterface> $orderRepository */
public function __construct(
OrderRepositoryInterface $orderRepository,
FormFactoryInterface $formFactory,
string $resourceClass,
string $formClass,
protected readonly ObjectManager $manager,
protected readonly EventDispatcherInterface $eventDispatcher,
) {
$this->initialize($orderRepository, $formFactory, $resourceClass, $formClass);
}
public function hydrateResource(mixed $value): ?ResourceInterface
{
if (empty($value)) {
return $this->createResource();
}
/** @var OrderInterface|null $order */
$order = $this->repository->find($value);
if (
!$order instanceof OrderInterface
|| $order->getCheckoutState() === OrderCheckoutStates::STATE_COMPLETED
) {
return $this->createResource();
}
return $order;
}
#[PreReRender(priority: -100)]
public function saveCart(): void
{
if ($this->shouldSaveCart && $this->resource?->getId() !== null) {
$form = $this->getForm();
if ($form->isValid()) {
$this->eventDispatcher->dispatch(new GenericEvent($form->getData()), SyliusCartEvents::CART_CHANGE);
$this->manager->flush();
$this->emit(self::SYLIUS_SHOP_CART_CHANGED, ['cartId' => $this->resource->getId()]);
}
}
}
#[LiveAction]
public function removeItem(#[LiveArg] int $index): void
{
if ($this->resource?->getId() === null) {
return;
}
$data = $this->formValues['items'];
unset($data[$index]);
$this->formValues['items'] = array_values($data);
$orderItem = $this->resource->getItems()->get($index);
$this->eventDispatcher->dispatch(new GenericEvent($orderItem), SyliusCartEvents::CART_ITEM_REMOVE);
$this->manager->persist($this->resource);
$this->manager->flush();
$this->manager->refresh($this->resource);
$this->shouldSaveCart = false;
$this->submitForm();
$this->emit(self::SYLIUS_SHOP_CART_CHANGED, ['cartId' => $this->resource->getId()]);
}
#[LiveAction]
public function clearCart(): void
{
if ($this->resource?->getId() === null) {
return;
}
$this->formValues['items'] = [];
$this->eventDispatcher->dispatch(new GenericEvent($this->resource), SyliusCartEvents::CART_CLEAR);
$this->manager->remove($this->resource);
$this->manager->flush();
$this->resource = $this->createResource();
$this->resetForm();
$this->isValidated = false;
$this->validatedFields = [];
$this->shouldSaveCart = false;
$this->submitForm();
$this->emit(self::SYLIUS_SHOP_CART_CLEARED);
}
#[LiveAction]
public function removeCoupon(): void
{
$this->formValues['promotionCoupon'] = '';
$this->submitForm();
}
private function getDataModelValue(): string
{
return 'debounce(500)|*';
}
}
Step 2. Override the Sylius service in config/services.yaml
Append to the application's config/services.yaml (or a dedicated file loaded by the kernel, e.g. config/packages/sylius_security_cart.yaml):
services:
sylius_shop.twig.component.cart.form:
class: App\Twig\Component\Cart\FormComponent
arguments:
- '@sylius.repository.order'
- '@form.factory'
- '%sylius.model.order.class%'
- 'Sylius\Bundle\ShopBundle\Form\Type\CartType'
- '@doctrine.orm.entity_manager'
- '@event_dispatcher'
calls:
- [setLiveResponder, ['@ux.live_component.live_responder']]
tags:
- { name: sylius.live_component.shop, key: 'sylius_shop:cart:form' }
This redeclares the existing Sylius service id sylius_shop.twig.component.cart.form so it instantiates the patched class from App\ while preserving every argument, call and tag from the original Sylius XML definition. The cart twig hook keeps resolving to the same Live Component key (sylius_shop:cart:form).
Step 3. Clear the cache
bin/console cache:clear
Reporters
We would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability: - Kévin Gonella (@kgonella) - Sam V.
For more information
If there are any questions or comments about this advisory:
- Open an issue in Sylius issues
- Send an email to security@sylius.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53637"
],
"database_specific": {
"cwe_ids": [
"CWE-672",
"CWE-841"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T21:03:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA user opens the cart page in the browser. In the background, the order gets completed, e.g. an admin changes the status, or the user finalizes payment in another tab. The browser still displays the old cart: the LiveComponent is unaware the underlying order state has changed.\n\nIf the user then:\n\n- **clears the cart** \u2192 `clearCart()` calls `manager-\u003eremove()` on the\n completed order: the order is permanently **deleted** from the database;\n- **removes a product** \u2192 `removeItem()` mutates an item on the completed\n order;\n- **changes quantity** \u2192 `saveCart()` overwrites data on the completed order.\n\nIn all cases, the customer\u0027s order data is irreversibly corrupted or lost, even though the order has already been placed and paid for. The same vector can be triggered deliberately by an authenticated customer (keep the cart page open, complete checkout in another tab, then modify the \"cart\" to add quantity beyond what was paid for).\n\n### Patches\nThe issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above.\n\n### Workarounds\nIf users cannot update Sylius immediately, they should create a patched copy of the affected class in their application\u0027s `src/` directory and override the Sylius service definition to use it.\n\n#### Step 1. Create `src/Twig/Component/Cart/FormComponent.php`\n\n```php\n\u003c?php\n\ndeclare(strict_types=1);\n\nnamespace App\\Twig\\Component\\Cart;\n\nuse Doctrine\\Persistence\\ObjectManager;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\ResourceFormComponentTrait;\nuse Sylius\\Bundle\\UiBundle\\Twig\\Component\\TemplatePropTrait;\nuse Sylius\\Component\\Core\\Model\\OrderInterface;\nuse Sylius\\Component\\Core\\OrderCheckoutStates;\nuse Sylius\\Component\\Core\\Repository\\OrderRepositoryInterface;\nuse Sylius\\Component\\Order\\SyliusCartEvents;\nuse Sylius\\Resource\\Model\\ResourceInterface;\nuse Symfony\\Component\\EventDispatcher\\EventDispatcherInterface;\nuse Symfony\\Component\\EventDispatcher\\GenericEvent;\nuse Symfony\\Component\\Form\\FormFactoryInterface;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveAction;\nuse Symfony\\UX\\LiveComponent\\Attribute\\LiveArg;\nuse Symfony\\UX\\LiveComponent\\Attribute\\PreReRender;\nuse Symfony\\UX\\LiveComponent\\ComponentToolsTrait;\n\nclass FormComponent\n{\n use ComponentToolsTrait;\n\n /** @use ResourceFormComponentTrait\u003cOrderInterface\u003e */\n use ResourceFormComponentTrait;\n\n use TemplatePropTrait;\n\n public const SYLIUS_SHOP_CART_CHANGED = \u0027sylius:shop:cart_changed\u0027;\n\n public const SYLIUS_SHOP_CART_CLEARED = \u0027sylius:shop:cart_cleared\u0027;\n\n public bool $shouldSaveCart = true;\n\n /** @param OrderRepositoryInterface\u003cOrderInterface\u003e $orderRepository */\n public function __construct(\n OrderRepositoryInterface $orderRepository,\n FormFactoryInterface $formFactory,\n string $resourceClass,\n string $formClass,\n protected readonly ObjectManager $manager,\n protected readonly EventDispatcherInterface $eventDispatcher,\n ) {\n $this-\u003einitialize($orderRepository, $formFactory, $resourceClass, $formClass);\n }\n\n public function hydrateResource(mixed $value): ?ResourceInterface\n {\n if (empty($value)) {\n return $this-\u003ecreateResource();\n }\n\n /** @var OrderInterface|null $order */\n $order = $this-\u003erepository-\u003efind($value);\n\n if (\n !$order instanceof OrderInterface\n || $order-\u003egetCheckoutState() === OrderCheckoutStates::STATE_COMPLETED\n ) {\n return $this-\u003ecreateResource();\n }\n\n return $order;\n }\n\n #[PreReRender(priority: -100)]\n public function saveCart(): void\n {\n if ($this-\u003eshouldSaveCart \u0026\u0026 $this-\u003eresource?-\u003egetId() !== null) {\n $form = $this-\u003egetForm();\n if ($form-\u003eisValid()) {\n $this-\u003eeventDispatcher-\u003edispatch(new GenericEvent($form-\u003egetData()), SyliusCartEvents::CART_CHANGE);\n $this-\u003emanager-\u003eflush();\n $this-\u003eemit(self::SYLIUS_SHOP_CART_CHANGED, [\u0027cartId\u0027 =\u003e $this-\u003eresource-\u003egetId()]);\n }\n }\n }\n\n #[LiveAction]\n public function removeItem(#[LiveArg] int $index): void\n {\n if ($this-\u003eresource?-\u003egetId() === null) {\n return;\n }\n\n $data = $this-\u003eformValues[\u0027items\u0027];\n unset($data[$index]);\n $this-\u003eformValues[\u0027items\u0027] = array_values($data);\n\n $orderItem = $this-\u003eresource-\u003egetItems()-\u003eget($index);\n $this-\u003eeventDispatcher-\u003edispatch(new GenericEvent($orderItem), SyliusCartEvents::CART_ITEM_REMOVE);\n\n $this-\u003emanager-\u003epersist($this-\u003eresource);\n $this-\u003emanager-\u003eflush();\n $this-\u003emanager-\u003erefresh($this-\u003eresource);\n\n $this-\u003eshouldSaveCart = false;\n $this-\u003esubmitForm();\n $this-\u003eemit(self::SYLIUS_SHOP_CART_CHANGED, [\u0027cartId\u0027 =\u003e $this-\u003eresource-\u003egetId()]);\n }\n\n #[LiveAction]\n public function clearCart(): void\n {\n if ($this-\u003eresource?-\u003egetId() === null) {\n return;\n }\n\n $this-\u003eformValues[\u0027items\u0027] = [];\n $this-\u003eeventDispatcher-\u003edispatch(new GenericEvent($this-\u003eresource), SyliusCartEvents::CART_CLEAR);\n $this-\u003emanager-\u003eremove($this-\u003eresource);\n $this-\u003emanager-\u003eflush();\n\n $this-\u003eresource = $this-\u003ecreateResource();\n $this-\u003eresetForm();\n $this-\u003eisValidated = false;\n $this-\u003evalidatedFields = [];\n\n $this-\u003eshouldSaveCart = false;\n $this-\u003esubmitForm();\n $this-\u003eemit(self::SYLIUS_SHOP_CART_CLEARED);\n }\n\n #[LiveAction]\n public function removeCoupon(): void\n {\n $this-\u003eformValues[\u0027promotionCoupon\u0027] = \u0027\u0027;\n\n $this-\u003esubmitForm();\n }\n\n private function getDataModelValue(): string\n {\n return \u0027debounce(500)|*\u0027;\n }\n}\n```\n\n#### Step 2. Override the Sylius service in `config/services.yaml`\n\nAppend to the application\u0027s `config/services.yaml` (or a dedicated file loaded by the kernel, e.g. `config/packages/sylius_security_cart.yaml`):\n\n```yaml\nservices:\n sylius_shop.twig.component.cart.form:\n class: App\\Twig\\Component\\Cart\\FormComponent\n arguments:\n - \u0027@sylius.repository.order\u0027\n - \u0027@form.factory\u0027\n - \u0027%sylius.model.order.class%\u0027\n - \u0027Sylius\\Bundle\\ShopBundle\\Form\\Type\\CartType\u0027\n - \u0027@doctrine.orm.entity_manager\u0027\n - \u0027@event_dispatcher\u0027\n calls:\n - [setLiveResponder, [\u0027@ux.live_component.live_responder\u0027]]\n tags:\n - { name: sylius.live_component.shop, key: \u0027sylius_shop:cart:form\u0027 }\n```\n\nThis redeclares the existing Sylius service id `sylius_shop.twig.component.cart.form` so it instantiates the patched class from `App\\` while preserving every argument, call and tag from the original Sylius XML definition. The cart twig hook keeps resolving to the same Live Component key (`sylius_shop:cart:form`).\n\n#### Step 3. Clear the cache\n\n```bash\nbin/console cache:clear\n```\n\n### Reporters\n\nWe would like to extend our gratitude to the following individuals for their detailed reporting and responsible disclosure of this vulnerability:\n- K\u00e9vin Gonella (@kgonella)\n- Sam V.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen)\n- Send an email to [security@sylius.com](mailto:security@sylius.com)",
"id": "GHSA-5597-7rmh-97q5",
"modified": "2026-07-09T21:03:41Z",
"published": "2026-07-09T21:03:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-5597-7rmh-97q5"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sylius: Cart FormComponent allows modification or deletion of an already-completed order"
}
GHSA-5QW6-59G4-VVQW
Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one payment.
{
"affected": [],
"aliases": [
"CVE-2026-13223"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T15:16:34Z",
"severity": "MODERATE"
},
"details": "Our payment integration with Computop-based payment methods did not \nproperly validate payment status responses. An attacker could use a \nsuccessful payment status response from one payment and supply it to the\n system for a different payment, gaining access to multiple valid \ntickets with only one payment.",
"id": "GHSA-5qw6-59g4-vvqw",
"modified": "2026-06-25T15:32:02Z",
"published": "2026-06-25T15:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13223"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20260625-release-2026-5-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-62MF-VHHW-XMF8
Vulnerability from github – Published: 2025-05-23 16:11 – Updated: 2025-05-23 18:46A malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "DotNetNuke.SiteExportImport"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.13.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48376"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-23T16:11:14Z",
"nvd_published_at": "2025-05-23T16:15:27Z",
"severity": "LOW"
},
"details": "A malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported.",
"id": "GHSA-62mf-vhhw-xmf8",
"modified": "2025-05-23T18:46:09Z",
"published": "2025-05-23T16:11:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-62mf-vhhw-xmf8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48376"
},
{
"type": "WEB",
"url": "https://github.com/dnnsoftware/Dnn.Platform/commit/13fb13ee76173c3467d7ee8d120b20ca7bd4fa63"
},
{
"type": "PACKAGE",
"url": "https://github.com/dnnsoftware/Dnn.Platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "DNN site Import could use an external source with a crafted request"
}
GHSA-6XPP-JM6C-3V96
Vulnerability from github – Published: 2023-08-06 09:30 – Updated: 2023-08-06 09:30A vulnerability, which was classified as critical, has been found in SourceCodester Free Hospital Management System for Small Practices 1.0. Affected by this issue is some unknown functionality of the file /vm/admin/delete-doctor.php?id=2 of the component Redirect Handler. The manipulation leads to enforcement of behavioral workflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-236216.
{
"affected": [],
"aliases": [
"CVE-2023-4181"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-06T09:15:09Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in SourceCodester Free Hospital Management System for Small Practices 1.0. Affected by this issue is some unknown functionality of the file /vm/admin/delete-doctor.php?id=2 of the component Redirect Handler. The manipulation leads to enforcement of behavioral workflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-236216.",
"id": "GHSA-6xpp-jm6c-3v96",
"modified": "2023-08-06T09:30:18Z",
"published": "2023-08-06T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4181"
},
{
"type": "WEB",
"url": "https://github.com/Yesec/Free-Hospital-Management-System-for-Small-Practices/blob/main/vertical%20privilege%20escalation/vuln.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.236216"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.236216"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7J6Q-QXMG-PQP2
Vulnerability from github – Published: 2024-06-18 21:30 – Updated: 2024-09-21 00:34A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895.
{
"affected": [],
"aliases": [
"CVE-2024-6128"
],
"database_specific": {
"cwe_ids": [
"CWE-841"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-18T21:15:56Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895.",
"id": "GHSA-7j6q-qxmg-pqp2",
"modified": "2024-09-21T00:34:48Z",
"published": "2024-06-18T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6128"
},
{
"type": "WEB",
"url": "https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2024/Jun/6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.268895"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.268895"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.