Home / Vulnerability Intelligence / CVE-2026-31824

CVE-2026-31824 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 11, 2026

Sylius - Race Condition

Published: March 10, 2026Updated: March 11, 2026Remote Exploitable

Overview

Sylius contains a race condition in promotion and coupon usage limit enforcement caused by lack of atomic operations and locking in usage count updates, letting attackers redeem limited-use promotions multiple times concurrently, exploit requires no authentication.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can redeem limited-use promotions or coupons unlimited times, causing direct financial loss.

Mitigation

Update to versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 or later.

References

https://github.com/Sylius/Sylius/security/advisories/GHSA-7mp4-25j8-hp5q

Related Resources

Details

CVE ID: CVE-2026-31824
Severity: High
CVSS Score: 8.2
Type: race_condition
Status: confirmed

CWE

CWE-362
CWE-367

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L