VYPR
High severityNVD Advisory· Published Dec 10, 2025· Updated Dec 11, 2025

Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page

CVE-2025-67648

Description

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shopware/shopwarePackagist
>= 6.4.6.0, < 6.6.10.106.6.10.10
shopware/storefrontPackagist
>= 6.4.6.0, < 6.6.10.106.6.10.10
shopware/shopwarePackagist
>= 6.7.0.0, < 6.7.5.16.7.5.1
shopware/storefrontPackagist
>= 6.7.0.0, < 6.7.5.16.7.5.1

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.