GHSA-5597-7rmh-97q5: Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Sylius versions prior to 2.0.18, 2.1.15, and 2.2.6 contain a vulnerability in the Cart FormComponent that allows modification or deletion of an already-completed order. This occurs because the cart page in the browser does not reflect changes made to the order status in the background, allowing actions such as clearing the cart, removing products, or changing quantities to corrupt or delete completed order data irreversibly.
AI Analysis
Technical Summary
The Sylius Cart FormComponent does not properly handle state changes when an order is completed in the background (e.g., by an admin or payment finalization in another tab). The LiveComponent displaying the cart remains unaware of the order's completed state, allowing users to perform actions like clearing the cart, removing items, or changing quantities on an order that is already completed. These actions result in permanent deletion or corruption of the order data in the database. The vulnerability affects Sylius versions >=2.0.0 <2.0.18, >=2.1.0 <2.1.15, and >=2.2.0 <2.2.6. The issue is fixed in versions 2.0.18, 2.1.15, and 2.2.6 and later.
Potential Impact
An attacker or legitimate user can cause irreversible loss or corruption of completed order data by manipulating the cart page after the order has been finalized. This can lead to deletion of completed orders or unauthorized modification of order contents, potentially impacting order integrity and customer trust. There is no direct confidentiality or availability impact reported, but integrity is severely affected.
Mitigation Recommendations
A fix is available in Sylius versions 2.0.18, 2.1.15, and 2.2.6 and above. Users should upgrade to these versions or later to resolve the issue. If immediate upgrade is not possible, a workaround involves creating a patched copy of the affected Cart FormComponent class in the application source directory and overriding the Sylius service definition to use the patched class, as detailed in the vendor advisory.
GHSA-5597-7rmh-97q5: Sylius: Cart FormComponent allows modification or deletion of an already-completed order
Description
Sylius versions prior to 2.0.18, 2.1.15, and 2.2.6 contain a vulnerability in the Cart FormComponent that allows modification or deletion of an already-completed order. This occurs because the cart page in the browser does not reflect changes made to the order status in the background, allowing actions such as clearing the cart, removing products, or changing quantities to corrupt or delete completed order data irreversibly.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Sylius Cart FormComponent does not properly handle state changes when an order is completed in the background (e.g., by an admin or payment finalization in another tab). The LiveComponent displaying the cart remains unaware of the order's completed state, allowing users to perform actions like clearing the cart, removing items, or changing quantities on an order that is already completed. These actions result in permanent deletion or corruption of the order data in the database. The vulnerability affects Sylius versions >=2.0.0 <2.0.18, >=2.1.0 <2.1.15, and >=2.2.0 <2.2.6. The issue is fixed in versions 2.0.18, 2.1.15, and 2.2.6 and later.
Potential Impact
An attacker or legitimate user can cause irreversible loss or corruption of completed order data by manipulating the cart page after the order has been finalized. This can lead to deletion of completed orders or unauthorized modification of order contents, potentially impacting order integrity and customer trust. There is no direct confidentiality or availability impact reported, but integrity is severely affected.
Mitigation Recommendations
A fix is available in Sylius versions 2.0.18, 2.1.15, and 2.2.6 and above. Users should upgrade to these versions or later to resolve the issue. If immediate upgrade is not possible, a workaround involves creating a patched copy of the affected Cart FormComponent class in the application source directory and overriding the Sylius service definition to use the patched class, as detailed in the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-5597-7rmh-97q5
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-53637"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a50ba7168715ace4358010d
Added to database: 07/10/2026, 09:25:05 UTC
Last enriched: 07/10/2026, 09:53:50 UTC
Last updated: 07/10/2026, 18:40:11 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.