Sylius security release (2.0.18/2.1.15/2.2.6)
Incident analysis (cluster post) of the Sylius security release of 2 June 2026. Three advisories in the shop/payment API path: GHSA-5597-7rmh-97q5 (cart FormComponent deletes/alters a completed order, CVSS 6.5, CWE-672/841), GHSA-mr9r-h354-966r (IDOR on shop payment-request endpoints, CWE-639) and GHSA-6955-hrm5-c4qp (channel-based payment-method restriction bypass, CVSS 4.3, CWE-863). Affected: 2.0.0-2.0.17, 2.1.0-2.1.14, 2.2.0-2.2.5. Fixed in 2.0.18 / 2.1.15 / 2.2.6. No CVE IDs, all Moderate, no known active exploitation. Fix via composer update; each flaw has a documented service-override workaround.