GHSA-2W46-VQ8H-98VH Shopware 6's password recovery link does not expire after email change

Summary When a customer changes their email address after requesting a password reset, the old password reset link tied to the previous email remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email...

EUVD-2025-197621

Shopware 6's password recovery link does not expire after email change...

Shopware 6's password recovery link does not expire after email change

Summary When a customer changes their email address after requesting a password reset, the old password reset link tied to the previous email remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email...

CVE-2025-51541

A stored cross-site scripting XSS vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The cdatabaseschema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious...

CVE-2025-30150 Shopware 6 allows attackers to check for registered accounts through the store-api

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...

PT-2023-17411

Name of the Vulnerable Software and Affected Versions Shopware 6 versions 6.4.20.0 through 6.4.20.0 Shopware 6 versions 6.5.0.0-rc1 through 6.5.0.0-rc4 Description The issue allows remote attackers with access to a Twig environment without the Sandbox extension to bypass validation checks and...