Security Advisories - shopware/platform

shopware/platform Security Advisories for 6.4.12.0 (34)

[MEDIUM] Shopware: Stored XSS via SVG file upload — no SVG sanitization

PKSA-xngt-2zh8-qhq6 CVE-2026-48015 GHSA-xvhc-gm7j-mhmc

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

PKSA-6c8x-wdsy-zx17 CVE-2026-48016 GHSA-9v5m-39wh-5chq

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Admin API ACL Bypass in Order State Transition Endpoints

PKSA-1xdm-446c-t7rz CVE-2026-48014 GHSA-f8q6-3g5w-jjr6

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[LOW] Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

PKSA-xwkj-rryn-xz6v CVE-2026-48011 GHSA-7w52-7jvm-m9vw

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

PKSA-xbrd-fvys-3t24 CVE-2026-48010 GHSA-v39m-97p8-gqg7

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure

PKSA-tk1x-h875-8y1s CVE-2026-48009 GHSA-8v9p-g828-v98f

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

PKSA-b8bq-4ngt-d89p CVE-2026-48008 GHSA-gv8p-48fr-4fxg

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[HIGH] Shopware vulnerable to a potential take over of app credentials

PKSA-qj2q-c8sp-3qyg CVE-2026-31889 GHSA-c4p7-rwrg-pf6p

Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1

Reported by:
GitHub
[MEDIUM] Shopware has user enumeration via distinct error codes on Store API login endpoint

PKSA-8zg6-v85t-wcz3 CVE-2026-31888 GHSA-gqc5-xv7m-gcjq

Affected version: <6.6.10.14|>=6.7.0.0,<6.7.8.1

Reported by:
GitHub
[HIGH] Shopware: Unauthenticated data extraction possible through store-api.order endpoint

PKSA-bwqq-zb6b-g5dh CVE-2026-31887 GHSA-7vvp-j573-5584

Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1

Reported by:
GitHub
[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled

PKSA-g23j-x3sb-wcbc GHSA-r2vg-hvjm-fg38

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping

PKSA-cb17-wqsx-y85w GHSA-27c9-vp3w-6ww8

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

PKSA-ph5g-5w5h-nqtz GHSA-3cpp-fv95-mpr5

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[LOW] Shopware vulnerable to path traversal via Plugin upload

PKSA-wg2b-w14d-z55p GHSA-6wh5-mw9h-5c3w

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

PKSA-h7xc-cnc9-hq4s GHSA-m895-2hj3-8cg9

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[MEDIUM] Shopware race condition bypasses voucher restrictions

PKSA-sy2r-ddrd-9s1c CVE-2025-7954 GHSA-27gv-mg7w-mm34

Affected version: <=6.6.10.4

Reported by:
GitHub
[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse

PKSA-7zw7-y79b-kv9s CVE-2025-32378 GHSA-4h9w-7vfp-px8m

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0-rc1,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents

PKSA-9qy7-f7jp-k813 GHSA-68wv-g3fw-pq7q

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations

PKSA-fkd6-58gd-wqfz CVE-2025-27892 GHSA-8g35-7rmw-7f59

Affected version: <6.5.8.18|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1

Reported by:
GitHub
[HIGH] Shopware allows Denial Of Service via password length

PKSA-qf2k-hv7v-9bz9 CVE-2025-30151 GHSA-cgfj-hj93-rmh2

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api

PKSA-4xth-xj4w-m8t1 CVE-2025-30150 GHSA-hh7j-6x3q-f52h

Affected version: <=6.5.8.17|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations

PKSA-4jyx-mm79-zmg7 CVE-2024-42357 GHSA-p6w9-r443-r752

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

PKSA-69f8-ft32-qt99 CVE-2024-42356 GHSA-35jp-8cgg-p4wj

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

PKSA-44zj-btqf-vtmh CVE-2024-42355 GHSA-27wp-jvhw-v4xp

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

PKSA-c7v1-2zh3-y11f CVE-2024-42354 GHSA-hhcq-ph6w-494g

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware Improper Session Handling in store-api account logout

PKSA-z88n-916m-msqr CVE-2024-31447 GHSA-5297-wrrp-rcj7

Affected version: >=6.6.0.0-rc1,<6.6.1.0|>=6.3.5.0,<6.5.8.8

Reported by:
GitHub
[MEDIUM] Broken Access Control order API in Shopware

PKSA-9n6r-fddd-r9bb CVE-2024-22407 GHSA-3867-jc5c-66qf

Affected version: <=6.5.7.3

Reported by:
GitHub
[CRITICAL] Blind SQL injection in shopware

PKSA-sz3r-ymxp-htg6 CVE-2024-22406 GHSA-qmp9-2xwj-m6m9

Affected version: <=6.5.7.3

Reported by:
GitHub
[HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views

PKSA-y73d-9xyp-2rvj CVE-2023-2017 GHSA-7v2v-9rm4-7m8f

Affected version: <=6.4.20.0

Reported by:
GitHub
[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription

PKSA-vpqc-w91w-1ctj CVE-2023-22734 GHSA-46h7-vj7x-fxg2

Affected version: <=6.4.18.0

Reported by:
GitHub
[LOW] Shopware has Insufficient Session Expiration in Administration

PKSA-z2wh-qqqg-rhx7 CVE-2023-22732 GHSA-59qg-93jg-236f

Affected version: <=6.4.18.0

Reported by:
GitHub
[LOW] Shopware's log module vulnerable to Improper Output Neutralization

PKSA-7wby-zzwm-g7gb CVE-2023-22733 GHSA-7cp7-jfp6-jh4f

Affected version: <=6.4.18.0

Reported by:
GitHub
[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

PKSA-ww33-9chf-zq86 CVE-2023-22731 GHSA-93cw-f5jj-x85w

Affected version: <=6.4.18.0

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart

PKSA-zx3q-w3f7-cp5k CVE-2023-22730 GHSA-8r6h-m72v-38fg

Affected version: <=6.4.18.0

Reported by:
GitHub

shopware/platform Security Advisories for 6.4.12.0 (34)

[MEDIUM] Shopware: Stored XSS via SVG file upload — no SVG sanitization

[MEDIUM] Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

[MEDIUM] Shopware: Admin API ACL Bypass in Order State Transition Endpoints

[LOW] Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

[MEDIUM] Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure

[MEDIUM] Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

[HIGH] Shopware vulnerable to a potential take over of app credentials

[MEDIUM] Shopware has user enumeration via distinct error codes on Store API login endpoint

[HIGH] Shopware: Unauthenticated data extraction possible through store-api.order endpoint

[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled

[MEDIUM] Shopware exposes sensitive user information via CSV export mapping

[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

[LOW] Shopware vulnerable to path traversal via Plugin upload

[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

[MEDIUM] Shopware race condition bypasses voucher restrictions

[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse

[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents

[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations

[HIGH] Shopware allows Denial Of Service via password length

[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api

[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations

[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

[MEDIUM] Shopware Improper Session Handling in store-api account logout

[MEDIUM] Broken Access Control order API in Shopware

[CRITICAL] Blind SQL injection in shopware

[HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views

[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription

[LOW] Shopware has Insufficient Session Expiration in Administration

[LOW] Shopware's log module vulnerable to Improper Output Neutralization

[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart