VYPR

Shopware

by Shopware

Source repositories

CVEs (46)

  • CVE-2016-3109CriApr 21, 2017
    risk 0.59cvss 9.8epss 0.28

    The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code.

  • CVE-2017-15374MedOct 16, 2017
    risk 0.43cvss 6.1epss 0.05

    Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent…

  • CVE-2026-32142MedMar 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.

  • CVE-2026-32100MedMar 12, 2026
    risk 0.34cvss 5.3epss 0.00

    Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.

  • CVE-2026-48011LowJun 10, 2026
    risk 0.24cvss 3.7epss 0.00

    Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

  • CVE-2026-48013Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary The `/api/_action/media/external-link` endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel `uploadFromURL` flow validates target IPs against private/reserved ranges via…

  • CVE-2026-48015Jun 4, 2026
    risk 0.00cvss epss 0.00

    SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, ``, ``) executes in the…

  • CVE-2026-48016Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary The Shopware Store API endpoint `/store-api/handle-payment` contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign…

  • CVE-2026-48014Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary This is a vertical authorization bypass in the Admin API affecting order state transition features (`/api/_action/order/{orderId}/state/{transition}` and similar transaction/delivery transition routes). The root cause is that the transition action routes do not…

  • CVE-2026-48012Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Description This report describes an open redirect in Shopware's public SSO entry point at `GET /api/oauth/sso/auth`. When the endpoint is reached without the expected SSO session state, the application falls back to the request's `Referer` header and uses that value as the…

  • CVE-2026-48010Jun 4, 2026
    risk 0.00cvss epss 0.00

    `UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In…

  • CVE-2026-48009Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary A low-privilege admin user with `user_recovery:read` ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the…

  • CVE-2026-48008Jun 4, 2026
    risk 0.00cvss epss 0.00

    ## Summary A non-admin API user with `integration:create` ACL privilege can escalate to full administrator by creating an integration with `admin: true` through the Sync API (`POST /api/_action/sync`). The regular integration endpoint (`POST /api/integration`) correctly blocks…

  • CVE-2026-23498Jan 14, 2026
    risk 0.00cvss epss 0.00

    Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

  • CVE-2025-67648Dec 10, 2025
    risk 0.00cvss epss 0.00

    Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page…

  • CVE-2025-7954Aug 6, 2025
    risk 0.00cvss epss 0.00

    A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.

  • CVE-2025-51541Aug 5, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to…

  • CVE-2025-27892Apr 15, 2025
    risk 0.00cvss epss 0.11

    Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.

  • CVE-2025-32378Apr 9, 2025
    risk 0.00cvss epss 0.00

    Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double…

  • CVE-2025-30150Apr 8, 2025
    risk 0.00cvss epss 0.00

    Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the…

Page 1 of 3