CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53637

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-09
Impact A user opens the cart page in the browser. In the background, the order gets completed, e.g. an admin changes the status, or the user finalizes payment in another tab. The browser still displays the old cart: the LiveComponent is unaware the underlying order state has changed. If the user then: - clears the cart → clearCart() calls manager->remove() on the completed order: the order is permanently deleted from the database; - removes a product → removeItem() mutates an item on the completed order; - changes quantity → saveCart() overwrites data on the completed order. In all cases, the customer's order data is irreversibly corrupted or lost, even though the order has already been placed and paid for. The same vector can be triggered deliberately by an authenticated customer (keep the cart page open, complete checkout in another tab, then modify the "cart" to add quantity beyond what was paid for). Patches The issue is fixed in versions: 2.0.18, 2.1.15, 2.2.6 and above. Workarounds If users cannot update Sylius immediately, they should create a patched copy of the affected class in their application's src/ directory and override the Sylius service definition to use it. Step 1. Create src/Twig/Component/Cart/FormComponent.php <?php declare(strict_types=1); namespace App\Twig\Component\Cart; use Doctrine\Persistence\ObjectManager; use Sylius\Bundle\UiBundle\Twig\Component\ResourceFormComponentTrait; use Sylius\Bundle\UiBundle\Twig\Component\TemplatePropTrait; use Sylius\Component\Core\Model\OrderInterface; use Sylius\Component\Core\OrderCheckoutStates; use Sylius\Component\Core\Repository\OrderRepositoryInterface; use Sylius\Component\Order\SyliusCartEvents; use Sylius\Resource\Model\ResourceInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\EventDispatcher\GenericEvent; use Symfony\Component\Form\FormFactoryInterface; use Symfony\UX\LiveComponent\Attribute\LiveAction; use Symfony\UX\LiveComponent\Attribute

⚡ Watch CVE-2026-53637

Get an email if CVE-2026-53637 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53637

CVE.org record

Embed the live status

CVE-2026-53637 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53637 status](https://www.csirts.com/badge/CVE-2026-53637)](https://www.csirts.com/cve/CVE-2026-53637)