shopware/core Security Advisories for v6.6.0.2 (15)
-
[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled
PKSA-v415-g75g-bqsy GHSA-r2vg-hvjm-fg38
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping
PKSA-kypv-cx5n-qkc8 GHSA-27c9-vp3w-6ww8
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
PKSA-h5dj-jyqc-4fjr GHSA-3cpp-fv95-mpr5
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to path traversal via Plugin upload
PKSA-6wp3-462p-vyty GHSA-6wh5-mw9h-5c3w
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
PKSA-b824-t6kf-bqqz GHSA-m895-2hj3-8cg9
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse
PKSA-8vfm-96b7-t9nt CVE-2025-32378 GHSA-4h9w-7vfp-px8m
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0-rc1,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents
PKSA-frt7-rv6d-9v53 GHSA-68wv-g3fw-pq7q
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations
PKSA-m54b-2v2z-x1bs CVE-2025-27892 GHSA-8g35-7rmw-7f59
Affected version: <6.5.8.18|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1
Reported by:
GitHub -
[HIGH] Shopware allows Denial Of Service via password length
PKSA-k472-zz4q-rd5r CVE-2025-30151 GHSA-cgfj-hj93-rmh2
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api
PKSA-dbxn-psgm-2qmr CVE-2025-30150 GHSA-hh7j-6x3q-f52h
Affected version: <=6.5.8.17|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations
PKSA-wp2c-7yp8-5fvs CVE-2024-42357 GHSA-p6w9-r443-r752
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions
PKSA-kt1g-n1g2-hzb4 CVE-2024-42356 GHSA-35jp-8cgg-p4wj
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
PKSA-6stq-czfs-1nvv CVE-2024-42355 GHSA-27wp-jvhw-v4xp
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
PKSA-4spx-rq41-wk8h CVE-2024-42354 GHSA-hhcq-ph6w-494g
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[MEDIUM] Shopware Improper Session Handling in store-api account logout
PKSA-s8vz-878v-gv1c CVE-2024-31447 GHSA-5297-wrrp-rcj7
Affected version: >=6.6.0.0-rc1,<6.6.1.0|>=6.3.5.0,<6.5.8.8
Reported by:
GitHub