CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

CVE-2026-31887

Shopware (open commerce platform) contains a vulnerability in prior releases: before 6.7.8.1 and 6.6.10.15, an insufficient check on filter types for unauthenticated customers on the store-api.order endpoint (deepLinkCode) can allow access to other customers’ orders. This is fixed in 6.7.8.1 and ...

CVE-2026-3231 Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the...

PT-2026-24657

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the...

CVE-2023-7320

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract...

CVE-2023-7320

The CVE affects the WordPress WooCommerce plugin; versions up to 7.8.2 expose store API REST endpoints due to improper CORS handling, enabling unauthenticated access to sensitive user data (PII) from any origin. This vulnerability is caused by misconfigured Cross-Origin Resource Sharing on the St...

CVE-2023-7320 WooCommerce <= 7.8.2 - Sensitive Information Exposure

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract...

CVE-2023-7320 WooCommerce <= 7.8.2 - Sensitive Information Exposure

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract...

PT-2025-44237

Name of the Vulnerable Software and Affected Versions WooCommerce versions prior to 7.8.3 Description The WooCommerce plugin for WordPress exhibits a sensitive information exposure issue due to improper CORS Cross-Origin Resource Sharing handling on the Store API’s REST endpoints. This allows...

WordPress plugin WooCommerce 信息泄露漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin WooCommerce, which stems...

EUVD-2019-6538

Malware in sbrugna...

EUVD-2021-1950

Malware in sbrugna...

EUVD-2024-1871

Malicious code in bioql PyPI...

EUVD-2024-2597

Malicious code in bioql PyPI...

EUVD-2025-10290

Malicious code in bioql PyPI...

CVE-2024-23634

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST...

CVE-2024-42354

Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1...

CVE-2021-32711

Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We...

CVE-2019-15569

HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows SQL injection, related to SearchQueryFactoryOperation.java and SortDirection.java...

CVE-2025-30150

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...