shopware/platform Security Advisories for 6.7.9.x-dev (9)
-
[MEDIUM] Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation
PKSA-yg4m-g48j-bdvp CVE-2026-48013 GHSA-gq96-5pfx-f4vc
Affected version: >=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Stored XSS via SVG file upload — no SVG sanitization
PKSA-xngt-2zh8-qhq6 CVE-2026-48015 GHSA-xvhc-gm7j-mhmc
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
PKSA-6c8x-wdsy-zx17 CVE-2026-48016 GHSA-9v5m-39wh-5chq
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Admin API ACL Bypass in Order State Transition Endpoints
PKSA-1xdm-446c-t7rz CVE-2026-48014 GHSA-f8q6-3g5w-jjr6
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware SSO referer trust leading to an arbitrary redirect target
PKSA-54rn-sm9v-17vx CVE-2026-48012 GHSA-4x3x-869w-xx3m
Affected version: >=6.7.3.0,<6.7.10.1
Reported by:
GitHub -
[LOW] Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
PKSA-xwkj-rryn-xz6v CVE-2026-48011 GHSA-7w52-7jvm-m9vw
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts
PKSA-xbrd-fvys-3t24 CVE-2026-48010 GHSA-v39m-97p8-gqg7
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure
PKSA-tk1x-h875-8y1s CVE-2026-48009 GHSA-8v9p-g828-v98f
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
PKSA-b8bq-4ngt-d89p CVE-2026-48008 GHSA-gv8p-48fr-4fxg
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub