Shopware
by Shopware
Source repositories
CVEs (46)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-3109 | Cri | 0.59 | 9.8 | 0.28 | Apr 21, 2017 | The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code. | ||
| CVE-2017-15374 | Med | 0.43 | 6.1 | 0.05 | Oct 16, 2017 | Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent… | ||
| CVE-2026-32142 | Med | 0.34 | 5.3 | 0.00 | Mar 12, 2026 | Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15. | ||
| CVE-2026-32100 | Med | 0.34 | 5.3 | 0.00 | Mar 12, 2026 | Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7. | ||
| CVE-2026-48011 | Low | 0.24 | 3.7 | 0.00 | Jun 10, 2026 | Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue. | ||
| CVE-2026-48013 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary The `/api/_action/media/external-link` endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel `uploadFromURL` flow validates target IPs against private/reserved ranges via… | |||
| CVE-2026-48015 | 0.00 | — | 0.00 | Jun 4, 2026 | SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, ``, ``) executes in the… | |||
| CVE-2026-48016 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary The Shopware Store API endpoint `/store-api/handle-payment` contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign… | |||
| CVE-2026-48014 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary This is a vertical authorization bypass in the Admin API affecting order state transition features (`/api/_action/order/{orderId}/state/{transition}` and similar transaction/delivery transition routes). The root cause is that the transition action routes do not… | |||
| CVE-2026-48012 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Description This report describes an open redirect in Shopware's public SSO entry point at `GET /api/oauth/sso/auth`. When the endpoint is reached without the expected SSO session state, the application falls back to the request's `Referer` header and uses that value as the… | |||
| CVE-2026-48010 | 0.00 | — | 0.00 | Jun 4, 2026 | `UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In… | |||
| CVE-2026-48009 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary A low-privilege admin user with `user_recovery:read` ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the… | |||
| CVE-2026-48008 | 0.00 | — | 0.00 | Jun 4, 2026 | ## Summary A non-admin API user with `integration:create` ACL privilege can escalate to full administrator by creating an integration with `admin: true` through the Sync API (`POST /api/_action/sync`). The regular integration endpoint (`POST /api/integration`) correctly blocks… | |||
| CVE-2026-23498 | 0.00 | — | 0.00 | Jan 14, 2026 | Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1. | |||
| CVE-2025-67648 | 0.00 | — | 0.00 | Dec 10, 2025 | Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page… | |||
| CVE-2025-7954 | 0.00 | — | 0.00 | Aug 6, 2025 | A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. | |||
| CVE-2025-51541 | 0.00 | — | 0.00 | Aug 5, 2025 | A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to… | |||
| CVE-2025-27892 | 0.00 | — | 0.11 | Apr 15, 2025 | Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression. | |||
| CVE-2025-32378 | 0.00 | — | 0.00 | Apr 9, 2025 | Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double… | |||
| CVE-2025-30150 | 0.00 | — | 0.00 | Apr 8, 2025 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the… |
- risk 0.59cvss 9.8epss 0.28
The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code.
- risk 0.43cvss 6.1epss 0.05
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent…
- risk 0.34cvss 5.3epss 0.00
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
- risk 0.34cvss 5.3epss 0.00
Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7.
- risk 0.24cvss 3.7epss 0.00
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.
- CVE-2026-48013Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary The `/api/_action/media/external-link` endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel `uploadFromURL` flow validates target IPs against private/reserved ranges via…
- CVE-2026-48015Jun 4, 2026risk 0.00cvss —epss 0.00
SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, ``, ``) executes in the…
- CVE-2026-48016Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary The Shopware Store API endpoint `/store-api/handle-payment` contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign…
- CVE-2026-48014Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary This is a vertical authorization bypass in the Admin API affecting order state transition features (`/api/_action/order/{orderId}/state/{transition}` and similar transaction/delivery transition routes). The root cause is that the transition action routes do not…
- CVE-2026-48012Jun 4, 2026risk 0.00cvss —epss 0.00
## Description This report describes an open redirect in Shopware's public SSO entry point at `GET /api/oauth/sso/auth`. When the endpoint is reached without the expected SSO session state, the application falls back to the request's `Referer` header and uses that value as the…
- CVE-2026-48010Jun 4, 2026risk 0.00cvss —epss 0.00
`UserController::upsertUser()` writes user data in `SYSTEM_SCOPE` and does not filter the `admin` field. A non-admin API user with `user:create` or `user:update` ACL permission can set `admin: true` on new or existing users, escalating to full admin access. ## The Problem In…
- CVE-2026-48009Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary A low-privilege admin user with `user_recovery:read` ACL can take over any admin account. The attacker triggers password recovery for the victim (unauthenticated endpoint), reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the…
- CVE-2026-48008Jun 4, 2026risk 0.00cvss —epss 0.00
## Summary A non-admin API user with `integration:create` ACL privilege can escalate to full administrator by creating an integration with `admin: true` through the Sync API (`POST /api/_action/sync`). The regular integration endpoint (`POST /api/integration`) correctly blocks…
- CVE-2026-23498Jan 14, 2026risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.
- CVE-2025-67648Dec 10, 2025risk 0.00cvss —epss 0.00
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page…
- CVE-2025-7954Aug 6, 2025risk 0.00cvss —epss 0.00
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.
- CVE-2025-51541Aug 5, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to…
- CVE-2025-27892Apr 15, 2025risk 0.00cvss —epss 0.11
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
- CVE-2025-32378Apr 9, 2025risk 0.00cvss —epss 0.00
Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double…
- CVE-2025-30150Apr 8, 2025risk 0.00cvss —epss 0.00
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the…
Page 1 of 3