CVE-2026-31824

Published: Mar 10, 2026 Last Modified: Mar 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,2

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: low

Description

AI Translation Available

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use (TOCTOU) race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit (the global used counter on Promotion entities), coupon usage limit (the global used counter on PromotionCoupon entities), and coupon per-customer usage limit (the per-customer redemption count on PromotionCoupon entities). In all three cases, the eligibility check reads the used counter (or order count) from an in-memory Doctrine entity during validation, while the actual usage increment in OrderPromotionsUsageModifier happens later during order completion — with no database-level locking or atomic operations between the two phases. Because Doctrine flushes an absolute value (SET used = 1) rather than an atomic increment (SET used = used + 1), and because the affected entities lack optimistic locking, concurrent requests all read the same stale usage counts and pass the eligibility checks simultaneously. An attacker can exploit this by preparing multiple carts with the same limited-use promotion or coupon and firing simultaneous PATCH /api/v2/shop/orders/{token}/complete requests. All requests pass the usage limit checks and complete successfully, allowing a single-use promotion or coupon to be redeemed an arbitrary number of times. The per-customer limit can be bypassed in the same way by a single customer completing multiple orders concurrently. No authentication is required to exploit this vulnerability. This may lead to direct financial loss through unlimited redemption of limited-use promotions and discount coupons. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.

AI Generated Translation

Sylius è un framework open source per l'eCommerce basato su Symfony. È stato scoperto un race condition di tipo Time-of-Check To Time-of-Use (TOCTOU) nell'applicazione delle limitazioni di utilizzo delle promozioni. La stessa classe di vulnerabilità riguarda il limite di utilizzo delle promozioni (il contatore globale usato sugli enti Promotion), il limite di utilizzo dei coupon (il contatore globale usato sugli enti PromotionCoupon) e il limite di utilizzo per cliente dei coupon (il conteggio delle redemption per cliente sugli enti PromotionCoupon). In tutti e tre i casi, il controllo di eleggibilità legge il contatore usato (o il conteggio degli ordini) da un'entità Doctrine in memoria durante la validazione, mentre l'incremento effettivo dell'uso in OrderPromotionsUsageModifier avviene successivamente durante la finalizzazione dell'ordine — senza locking a livello di database o operazioni atomiche tra le due fasi. Poiché Doctrine effettua il flush di un valore assoluto (SET used = 1) anziché un incremento atomico (SET used = used + 1), e poiché gli enti interessati non prevedono locking ottimistico, le richieste concorrenti leggono tutti gli stessi valori obsoleti di utilizzo e superano contemporaneamente i controlli di eleggibilità. Un attaccante può sfruttare questa vulnerabilità preparando più carrelli con la stessa promozione o coupon a uso limitato e inviando richieste PATCH /api/v2/shop/orders/{token}/complete simultanee. Tutte le richieste superano i controlli di limite di utilizzo e vengono completate con successo, consentendo a una promozione o a un coupon a uso singolo di essere riscattati un numero arbitrario di volte. Il limite per cliente può essere aggirato nello stesso modo, completando più ordini contemporaneamente come lo stesso cliente. Non è richiesta autenticazione per sfruttare questa vulnerabilità. Ciò può portare a perdite finanziarie dirette attraverso il riscatto illimitato di promozioni e coupon sconto a uso limitato. Il problema è stato risolto nelle versioni: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 e versioni successive.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0004

Percentile

0,1th

Updated

EPSS Score Trend (Last 7 Days)

362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Confidentiality Integrity Access Control

Potential Impacts:

Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other) Dos: Crash, Exit, Or Restart Dos: Instability Read Files Or Directories Read Application Data Execute Unauthorized Code Or Commands Gain Privileges Or Assume Identity Bypass Protection Mechanism

Applicable Platforms

Languages: C, C++, Java

Technologies: ICS/OT, Mobile

Likelihood of Exploit: Medium

View CWE Details

367

Time-of-check Time-of-use (TOCTOU) Race Condition

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other Non-Repudiation

Potential Impacts:

Alter Execution Logic Unexpected State Modify Application Data Modify Files Or Directories Modify Memory Other Hide Activities

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: Medium

View CWE Details

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 1.10.0 (inclusive)

To 1.10.16 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 1.12.0 (inclusive)

To 1.12.23 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

To 1.9.12 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 1.11.0 (inclusive)

To 1.11.17 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 1.14.0 (inclusive)

To 1.14.18 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 1.13.0 (inclusive)

To 1.13.15 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 2.2.0 (inclusive)

To 2.2.3 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 2.0.0 (inclusive)

To 2.0.16 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Sylius by Sylius

Product Information

Vendor Sylius

Product Sylius

Version Range Affected

From 2.1.0 (inclusive)

To 2.1.12 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/Sylius/Sylius/security/advisories/GHSA-7…

https://github.com/Sylius/Sylius/security/advisories/GHSA-7mp4-25j8-hp5q

CVE-2026-31824

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 7 Days)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Common Consequences

Applicable Platforms

Time-of-check Time-of-use (TOCTOU) Race Condition

Common Consequences

Applicable Platforms

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Sylius by Sylius

Product Information

Iscriviti alla newsletter