Packagist (Composer) package
shopware/platform
pkg:composer/shopware/platform
Vulnerabilities (41)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31889 | — | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow u | ||
| CVE-2026-31888 | — | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENT | ||
| CVE-2026-31887 | — | >= 6.7.0.0, < 6.7.8.1 | 6.7.8.1 | Mar 11, 2026 | Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability | ||
| CVE-2025-7954 | — | <= 6.6.10.4 | — | Aug 6, 2025 | A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. | ||
| CVE-2025-27892 | — | >= 6.7.0.0-rc1, < 6.7.0.0-rc2 | 6.7.0.0-rc2 | Apr 15, 2025 | Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression. | ||
| CVE-2025-32378 | — | >= 6.6.0.0-rc1, < 6.6.10.3 | 6.6.10.3 | Apr 9, 2025 | Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt | ||
| CVE-2025-30150 | — | >= 6.6.0.0, < 6.6.10.3 | 6.6.10.3 | Apr 8, 2025 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, | ||
| CVE-2025-30151 | — | >= 6.6.0.0, < 6.6.10.3 | 6.6.10.3 | Apr 8, 2025 | Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also availab | ||
| CVE-2024-42357 | — | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggr | ||
| CVE-2024-42356 | — | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of t | ||
| CVE-2024-42355 | — | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not | ||
| CVE-2024-42354 | — | < 6.5.8.13 | 6.5.8.13 | Aug 8, 2024 | Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to | ||
| CVE-2024-31447 | — | >= 6.3.5.0, < 6.5.8.8 | 6.5.8.8 | Apr 8, 2024 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. | ||
| CVE-2024-27917 | — | >= 6.5.8.0, < 6.5.8.7 | 6.5.8.7 | Mar 6, 2024 | Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which con | ||
| CVE-2024-22406 | — | < 6.5.7.4 | 6.5.7.4 | Jan 16, 2024 | Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in | ||
| CVE-2024-22407 | — | < 6.5.7.4 | 6.5.7.4 | Jan 16, 2024 | Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' perm | ||
| CVE-2023-2017 | — | < 6.4.20.1 | 6.4.20.1 | Apr 17, 2023 | Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validati | ||
| CVE-2023-22733 | — | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users ac | ||
| CVE-2023-22732 | — | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into | ||
| CVE-2023-22731 | — | < 6.4.18.1 | 6.4.18.1 | Jan 17, 2023 | Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP functi |
- CVE-2026-31889Mar 11, 2026affected >= 6.7.0.0, < 6.7.8.1fixed 6.7.8.1
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow u
- CVE-2026-31888Mar 11, 2026affected >= 6.7.0.0, < 6.7.8.1fixed 6.7.8.1
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENT
- CVE-2026-31887Mar 11, 2026affected >= 6.7.0.0, < 6.7.8.1fixed 6.7.8.1
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability
- CVE-2025-7954Aug 6, 2025affected <= 6.6.10.4
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.
- CVE-2025-27892Apr 15, 2025affected >= 6.7.0.0-rc1, < 6.7.0.0-rc2fixed 6.7.0.0-rc2
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
- CVE-2025-32378Apr 9, 2025affected >= 6.6.0.0-rc1, < 6.6.10.3fixed 6.6.10.3
Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt
- CVE-2025-30150Apr 8, 2025affected >= 6.6.0.0, < 6.6.10.3fixed 6.6.10.3
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response,
- CVE-2025-30151Apr 8, 2025affected >= 6.6.0.0, < 6.6.10.3fixed 6.6.10.3
Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also availab
- CVE-2024-42357Aug 8, 2024affected < 6.5.8.13fixed 6.5.8.13
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggr
- CVE-2024-42356Aug 8, 2024affected < 6.5.8.13fixed 6.5.8.13
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of t
- CVE-2024-42355Aug 8, 2024affected < 6.5.8.13fixed 6.5.8.13
Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not
- CVE-2024-42354Aug 8, 2024affected < 6.5.8.13fixed 6.5.8.13
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to
- CVE-2024-31447Apr 8, 2024affected >= 6.3.5.0, < 6.5.8.8fixed 6.5.8.8
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out.
- CVE-2024-27917Mar 6, 2024affected >= 6.5.8.0, < 6.5.8.7fixed 6.5.8.7
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which con
- CVE-2024-22406Jan 16, 2024affected < 6.5.7.4fixed 6.5.7.4
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in
- CVE-2024-22407Jan 16, 2024affected < 6.5.7.4fixed 6.5.7.4
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' perm
- CVE-2023-2017Apr 17, 2023affected < 6.4.20.1fixed 6.4.20.1
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validati
- CVE-2023-22733Jan 17, 2023affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users ac
- CVE-2023-22732Jan 17, 2023affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into
- CVE-2023-22731Jan 17, 2023affected < 6.4.18.1fixed 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP functi
Page 1 of 3