CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-5597-7rmh-97q5: Sylius: Cart FormComponent allows modification or deletion of an already-completed order

mediumCVSS 6.5CVE-2026-53637
Impact A user opens the cart page in the browser. In the background, the order gets completed, e.g. an admin changes the status, or the user finalizes payment in another tab. The browser still displays the old cart: the LiveComponent is unaware the underlying order state has changed. If the user then: - clears the cart → clearCart() calls manager->remove() on the completed order: the order is permanently deleted from the database; - removes a product → removeItem() mutates an item on the completed order; - changes quantity → saveCart() overwrites data on the completed order. In all cases, the customer's order data is irreversibly corrupted or lost, even though the order has already been placed and paid for. The same vector can be triggered deliberately by an authenticated customer (keep the cart page open, complete checkout in another tab, then modify the "cart" to add quantity beyond what was paid for). Patches The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above. Workarounds If users cannot update Sylius immediately, they should create a patched copy of the affected class in their application's src/ directory and override the Sylius service definition to use it. Step 1. Create src/Twig/Component/Cart/FormComponent.php <?php declare(strict_types=1); namespace App\Twig\Component\Cart; use Doctrine\Persistence\ObjectManager; use Sylius\Bundle\UiBundle\Twig\Component\ResourceFormComponentTrait; use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait; use Sylius\Component\Core\Model\OrderInterface; use Sylius\Component\Core\OrderCheckoutStates; use Sylius\Component\Core\Repository\OrderRepositoryInterface; use Sylius\Component\Order\SyliusCartEvents; use Sylius\Resource\Model\ResourceInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\GenericEvent; use Symfony\Component\Form\FormFactoryInterface; use Symfony\UX\LiveComponent\Attribute\LiveAction; use Symfony\UX\LiveComponent\Attribute

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.5
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-5597-7rmh-97q5

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-53637coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories