Packagist (Composer) package
shopware/platform
pkg:composer/shopware/platform
Vulnerabilities (42)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48011 | Low | 3.7 | >= 6.7.0.0, < 6.7.10.1 | 6.7.10.1 | Jun 10, 2026 | Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue. | |
| CVE-2026-31889 | — | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow u | ||
| CVE-2026-31888 | — | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENT | ||
| CVE-2026-31887 | — | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability | ||
| CVE-2025-7954 | Hig | 8.1 | <= 6.6.10.4 | — | Aug 6, 2025 | A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. | |
| CVE-2025-27892 | Med | 6.8 | >= 6.7.0.0-rc1, < 6.7.0.0-rc2 | 6.7.0.0-rc2 | Apr 15, 2025 | Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression. | |
| CVE-2025-32378 | Med | 5.3 | >= 6.6.0.0-rc1, < 6.6.10.3 | 6.6.10.3 | Apr 9, 2025 | Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt | |
| CVE-2025-30151 | Hig | 7.5 | >= 6.6.0.0, < 6.6.10.3 | 6.6.10.3 | Apr 8, 2025 | Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also availab | |
| CVE-2025-30150 | Med | 5.3 | >= 6.6.0.0, < 6.6.10.3 | 6.6.10.3 | Apr 8, 2025 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, | |
| CVE-2024-42357 | Hig | 7.3 | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggr | |
| CVE-2024-42356 | Hig | 8.3 | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of t | |
| CVE-2024-42355 | Hig | 8.3 | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not | |
| CVE-2024-42354 | Med | 5.3 | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to | |
| CVE-2024-31447 | Med | 5.3 | >= 6.3.5.0, < 6.5.8.8 | 6.5.8.8 | Apr 8, 2024 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. | |
| CVE-2024-27917 | Hig | 7.5 | >= 6.5.8.0, < 6.5.8.7 | 6.5.8.7 | Mar 6, 2024 | Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which con | |
| CVE-2024-22407 | Med | 4.9 | < 6.5.7.4 | 6.5.7.4 | Jan 16, 2024 | Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' perm | |
| CVE-2024-22406 | Cri | 9.3 | < 6.5.7.4 | 6.5.7.4 | Jan 16, 2024 | Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in | |
| CVE-2023-2017 | Hig | 8.8 | < 6.4.20.1 | 6.4.20.1 | Apr 17, 2023 | Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validati | |
| CVE-2023-22734 | Med | 4.3 | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter | |
| CVE-2023-22733 | Low | 2.7 | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users ac |
- affected >= 6.7.0.0, < 6.7.10.1fixed 6.7.10.1
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.
- CVE-2026-31889Mar 11, 2026affected >= 6.7.0.0, < 6.7.8.1fixed 6.7.8.1
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow u
- CVE-2026-31888Mar 11, 2026affected >= 6.7.0.0, < 6.7.8.1fixed 6.7.8.1
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENT
- CVE-2026-31887Mar 11, 2026affected >= 6.7.0.0, < 6.7.8.1fixed 6.7.8.1
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability
- affected <= 6.6.10.4
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.
- affected >= 6.7.0.0-rc1, < 6.7.0.0-rc2fixed 6.7.0.0-rc2
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
- affected >= 6.6.0.0-rc1, < 6.6.10.3fixed 6.6.10.3
Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt
- affected >= 6.6.0.0, < 6.6.10.3fixed 6.6.10.3
Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also availab
- affected >= 6.6.0.0, < 6.6.10.3fixed 6.6.10.3
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response,
- affected < 6.5.8.13fixed 6.5.8.13
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggr
- affected < 6.5.8.13fixed 6.5.8.13
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of t
- affected < 6.5.8.13fixed 6.5.8.13
Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not
- affected < 6.5.8.13fixed 6.5.8.13
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to
- affected >= 6.3.5.0, < 6.5.8.8fixed 6.5.8.8
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out.
- affected >= 6.5.8.0, < 6.5.8.7fixed 6.5.8.7
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which con
- affected < 6.5.7.4fixed 6.5.7.4
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' perm
- affected < 6.5.7.4fixed 6.5.7.4
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in
- affected < 6.4.20.1fixed 6.4.20.1
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validati
- affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter
- affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users ac
Page 1 of 3