CVE-2025-27892
Description
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware versions prior to 6.5.8.13 contain a SQL injection in /api/search/order due to an incomplete fix for previous CVEs.
Vulnerability
Description CVE-2025-27893 is a SQL injection vulnerability in the /api/search/order endpoint of Shopware, affecting versions prior to 6.5.8.13. The issue is a regression of previously patched vulnerabilities CVE-2024-22406 and CVE-2024-42357, indicating that the original fixes were incomplete or reintroduced during subsequent development [1][3].
Exploitation
Prerequisites An attacker can exploit this flaw by sending specially crafted requests to the vulnerable API endpoint. No authentication is required to trigger the injection, as the /api/search/order endpoint is publicly accessible in default configurations. The vulnerability allows an unauthenticated remote attacker to manipulate SQL queries executed by the application [1].
Potential
Impact Successful exploitation enables an attacker to read, modify, or delete arbitrary data in the Shopware database. This can lead to unauthorized access to customer information, order details, and other sensitive data stored in the database. In some scenarios, the attacker may also be able to escalate privileges or compromise the underlying server [1][3].
Mitigation
Status Shopware has released fixes in versions 6.5.8.13 and 6.6.5.1. For users who cannot immediately upgrade, the Shopware Security Plugin has been updated to version 2.0.11, which applies the necessary patches to older Shopware instances. Users are strongly advised to upgrade or apply the security plugin update as soon as possible [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/corePackagist | >= 6.7.0.0-rc1, < 6.7.0.0-rc2 | 6.7.0.0-rc2 |
shopware/platformPackagist | >= 6.7.0.0-rc1, < 6.7.0.0-rc2 | 6.7.0.0-rc2 |
shopware/corePackagist | >= 6.6.0.0, < 6.6.10.3 | 6.6.10.3 |
shopware/platformPackagist | >= 6.6.0.0, < 6.6.10.3 | 6.6.10.3 |
shopware/corePackagist | < 6.5.8.18 | 6.5.8.18 |
shopware/platformPackagist | < 6.5.8.18 | 6.5.8.18 |
Affected products
4- Shopware/Shopwaredescription
- ghsa-coords2 versions
>= 6.7.0.0-rc1, < 6.7.0.0-rc2+ 1 more
- (no CPE)range: >= 6.7.0.0-rc1, < 6.7.0.0-rc2
- (no CPE)range: >= 6.7.0.0-rc1, < 6.7.0.0-rc2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-8g35-7rmw-7f59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27892ghsaADVISORY
- github.com/shopware/shopware/releases/tag/v6.5.8.17ghsaWEB
- github.com/shopware/shopware/releases/tag/v6.6.10.3ghsaWEB
- github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2ghsaWEB
- github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59ghsaWEB
- www.redteam-pentesting.de/en/advisories/rt-sa-2025-001ghsaWEB
- www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/mitre
News mentions
0No linked articles in our index yet.