Shopware: Nine Vulnerabilities Disclosed, Including Privilege Escalation and XSS
Nine security vulnerabilities were disclosed for Shopware on June 4, 2026, ranging in severity and impacting authentication, data handling, and administrative functions.
Key findings
- Nine Shopware vulnerabilities disclosed on June 4, 2026, span privilege escalation, XSS, and SSRF.
- Multiple CVEs allow unauthorized users to gain administrator privileges.
- Stored XSS via unsanitized SVG uploads poses a risk to user sessions.
- Authorization bypasses affect order payment processing and admin API state transitions.
- SSRF and open redirect vulnerabilities are also part of the disclosed batch.
Shopware, the e-commerce platform, is facing scrutiny following the coordinated disclosure of nine distinct security vulnerabilities on June 4, 2026. These flaws, all disclosed within a short 13-minute window, impact various aspects of the platform, including administrative access, data integrity, and user authentication.
Several vulnerabilities center on privilege escalation, allowing unauthorized users to gain administrative control. CVE-2026-48010 details how a non-admin user with user:create ACL permissions can create administrator accounts by exploiting the UserController::upsertUser() function, which writes user data in SYSTEM_SCOPE without properly filtering the 'admin' field. Similarly, CVE-2026-48009 describes an admin account takeover mechanism where a low-privilege admin with user_recovery:read access can exploit the user recovery process. This involves triggering a password reset for a target admin, reading the recovery hash from an Admin API search endpoint, and then using that hash to reset the victim's password. Further privilege escalation is possible via CVE-2026-48008, where a non-admin API user with integration:create privileges can bypass controls in the Sync API to create an integration with administrative rights, a capability that is correctly blocked by the regular integration endpoint.
Beyond privilege escalation, other critical flaws include stored cross-site scripting (XSS) and authorization bypasses. CVE-2026-48015 highlights a stored XSS vulnerability stemming from a lack of SVG sanitization during file uploads. Any admin user can upload malicious SVG files containing JavaScript, which then executes in the context of the Shopware domain when accessed. An authorization flaw in the Store API, detailed in CVE-2026-48016, allows a low-privileged user to trigger the payment flow for another user's order by supplying a foreign orderId to the /store-api/handle-payment endpoint. Additionally, CVE-2026-48014 points to an Admin API ACL bypass in order state transition endpoints, where the lack of declared server-side ACL privileges allows unauthorized state changes.
Other disclosed vulnerabilities include a Server-Side Request Forgery (SSRF) in the Media External-Link endpoint (CVE-2026-48013), which allows authenticated admin users to make HTTP requests to arbitrary internal IP addresses, bypassing IP validation. An open redirect vulnerability (CVE-2026-48012) exists in Shopware's public SSO entry point, where the Referer header can be used as an arbitrary redirect target if an expected SSO session state is missing. Finally, CVE-2026-48011, a low-severity vulnerability, allows for the enumeration of administrator usernames through a timing attack on the admin panel.
These vulnerabilities collectively expose Shopware instances to significant risks, including unauthorized administrative access, data theft, and manipulation of critical e-commerce processes. Users are strongly advised to review the specific patches and updates released by Shopware to address these issues. The rapid, coordinated disclosure suggests a thorough review of the platform's security posture is warranted.