High severityNVD Advisory· Published Dec 10, 2025· Updated Dec 11, 2025
Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page
CVE-2025-67648
Description
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/shopwarePackagist | >= 6.4.6.0, < 6.6.10.10 | 6.6.10.10 |
shopware/storefrontPackagist | >= 6.4.6.0, < 6.6.10.10 | 6.6.10.10 |
shopware/shopwarePackagist | >= 6.7.0.0, < 6.7.5.1 | 6.7.5.1 |
shopware/storefrontPackagist | >= 6.7.0.0, < 6.7.5.1 | 6.7.5.1 |
Affected products
3- ghsa-coords2 versions
>= 6.4.6.0, < 6.6.10.10+ 1 more
- (no CPE)range: >= 6.4.6.0, < 6.6.10.10
- (no CPE)range: >= 6.4.6.0, < 6.6.10.10
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-6w82-v552-wjw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67648ghsaADVISORY
- github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58ghsax_refsource_MISCWEB
- github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.