GHSA-5597-7rmh-97q5: Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Impact
A user opens the cart page in the browser. In the background, the order gets completed, e.g. an admin changes the status, or the user finalizes payment in another tab. The browser still displays the old cart: the LiveComponent is unaware the underlying order state has changed.
If the user then:
- clears the cart → clearCart() calls manager->remove() on the
completed order: the order is permanently deleted from the database;
- removes a product → removeItem() mutates an item on the completed
order;
- changes quantity → saveCart() overwrites data on the completed order.
In all cases, the customer's order data is irreversibly corrupted or lost, even though the order has already been placed and paid for. The same vector can be triggered deliberately by an authenticated customer (keep the cart page open, complete checkout in another tab, then modify the "cart" to add quantity beyond what was paid for).
Patches
The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above.
Workarounds
If users cannot update Sylius immediately, they should create a patched copy of the affected class in their application's src/ directory and override the Sylius service definition to use it.
Step 1. Create src/Twig/Component/Cart/FormComponent.php
<?php
declare(strict_types=1);
namespace App\Twig\Component\Cart;
use Doctrine\Persistence\ObjectManager;
use Sylius\Bundle\UiBundle\Twig\Component\ResourceFormComponentTrait;
use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait;
use Sylius\Component\Core\Model\OrderInterface;
use Sylius\Component\Core\OrderCheckoutStates;
use Sylius\Component\Core\Repository\OrderRepositoryInterface;
use Sylius\Component\Order\SyliusCartEvents;
use Sylius\Resource\Model\ResourceInterface;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\EventDispatcher\GenericEvent;
use Symfony\Component\Form\FormFactoryInterface;
use Symfony\UX\LiveComponent\Attribute\LiveAction;
use Symfony\UX\LiveComponent\Attribute
Details
Original advisory: https://github.com/advisories/GHSA-5597-7rmh-97q5
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-53637 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10