Sylius Security - complete overview

Sylius is an open source eCommerce framework built on Symfony. This guide covers the risks specific to Sylius stores and the steps to protect them.

Understanding the Risks

Sylius runs on Symfony, so it ships with firewalls, role based access control and CSRF protection by default. Most incidents we investigate do not break the framework itself. They abuse stolen credentials, outdated dependencies and third party code that never gets reviewed.

Common Sylius Attacks

1. Cross site scripting (XSS): The most common flaw class fixed in Sylius. Attackers inject scripts that run in a visitor's or admin's browser, which they use to plant payment skimmers or hijack admin sessions.

   Example: CVE-2026-31822 was an XSS flaw in the checkout login form, reachable by ordinary customers. It was fixed in Sylius 2.0.16, 2.1.12 and 2.2.3. Earlier, CVE-2024-34349 allowed stored XSS in the admin panel through the Name field of Taxons, Products and Variants.

2. Malicious file uploads: Releases before 1.9.10, 1.10.11 and 1.11.2 allowed stored XSS through SVG uploads in the admin panel. Unrestricted upload handling remains a common path to a webshell.

3. Vulnerable third party plugins: Stores run payment, shipping and marketing plugins plus custom bundles. This code is rarely audited and is where attackers hide skimmers and backdoors.

4. Guessed or leaked staff passwords: A weak or reused admin password lets an attacker log straight into /admin and inject malicious code.

Best Practices for Sylius Security

1. Keep Sylius and its dependencies updated

Run a current Sylius release and update Symfony, PHP and every Composer package. Each release fixes known vulnerabilities.

Example: Run composer audit regularly to flag dependencies with known advisories, and subscribe to Sylius security advisories on GitHub.

2. Lock down the admin firewall

By default Sylius secures /admin routes behind a Symfony firewall so only authenticated admin users get in. Review your security configuration after any customization and confirm the admin firewall still requires ROLE_ADMIN.

Example: Keep public access limited to the login and logout paths, and require ROLE_ADMIN for every other admin route in config/packages/security.yaml.

3. Strong passwords and two factor authentication

Enforce strong, unique passwords for all admin accounts and enable two factor authentication. Most admin compromises start with a guessed or leaked password.

4. Limit admin roles

Apply role based access control so each staff member only gets the permissions they need. Granular RBAC and ACL are available in Sylius Plus.

Example: Give content editors access to the catalog only, and keep configuration and user management for administrators.

5. Restrict and sanitize file uploads

Limit which file types admins and customers can upload, and never serve user supplied SVG files inline. SVG uploads have a history of stored XSS in Sylius.

6. Implement HTTPS

Serve the whole store over HTTPS to encrypt traffic between your server and customers.

Example: Get a certificate from Let's Encrypt and set up automatic renewal.

7. Set a Content Security Policy

A Content Security Policy limits which scripts the browser will run, which blunts XSS and stops many skimmers from exfiltrating card data. See our CSP and SRI guide.

8. Scan for malware server-side

Free or browser based scanners cannot see private code, custom bundles or writable directories. Run eComscan on the server to detect skimmers, backdoors and known vulnerable plugins across the full Sylius codebase.

9. Monitor and back up

Watch server and application logs for unusual admin logins and file changes, and automate off-site backups so you can recover quickly after an incident. See general store security for more.

Conclusion

Patch promptly, lock down admin access, watch your third party code and scan the files on disk. Sansec has tracked eCommerce attacks since 2015, and the same threat intelligence behind that work powers eComscan's Sylius coverage.