CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

PT-2025-32142 · Shopware · Shopware 6.6.10.4

Name of the Vulnerable Software and Affected Versions: Shopware version 6.6.10.4 Description: A race condition vulnerability exists in Shopware’s voucher system. This allows attackers to bypass intended voucher restrictions and exceed usage limitations. Recommendations: At the moment, there is no...

PT-2024-19396 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.5.7.4 Shopware versions 6.1, 6.2, 6.3, and 6.4 Description: The Shopware application API contains a search functionality that enables users to search through information stored within their Shopware instance. The...

PT-2024-19398 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.5.7.4 Shopware version 6.4 Description: The Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to...

Shopware Has Improper Control of Generation of Code in Twig rendered views

Impact We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list Patches The problem has been fixed with 6.4.20.1 with an improved override...

PT-2022-23193 · Shopware · Shopware

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 5.7.15 Description: The issue allows users to bypass the Access Control List ACL if backend admin controllers are called with a certain notation, enabling them to execute actions they are normally not able to do...

GHSA-R64M-QCHJ-HRJP Webcache Poisoning in shopware/platform and shopware/core

Impact Webcache Poisoning via X-Forwarded-Prefix and sub-request Patches We recommend updating to the current version 6.4.6.1. You can get the update to 6.4.6.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6 Workarounds For...

GHSA-54GP-QFF8-946C Insecure direct object reference of log files of the Import/Export feature

Impact Insecure direct object reference of log files of the Import/Export feature Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6...

CVE-2021-32711 Leak of information via Store-API

Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...

Exposure of .env if project root is configured as web root in shopware/production

Impact The .env and other sensitive files can be leaked if the project root and not /public is configured as the web root. Patches We recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview...

Potential Session Hijacking

Impact Potential session hijacking of store customers. Patches We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6 Workarounds For older...

GHSA-JVG4-9RC2-WVCR Generation of fake documents via public GET-call

Impact Generation of fake documents via public GET-call Patches We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6 Workarounds For older...