Lucene search
+L

7 matches found

CVE
CVE
added yesterday25 views

CVE-2026-48014

Summary: CVE-2026-48014 affects Shopware open commerce platforms prior to 6.6.10.18 and 6.7.10.1, where Admin API order state transition routes (/api/_action/order/{orderId}/state/{transition} and related endpoints) could bypass ACL checks. The routes did not declare PlatformRequest::ATTRIBUTE_AC...

6.5CVSS5.3AI score0.00041EPSS
Exploits0References5
EUVD
EUVD
added yesterday5 views

EUVD-2026-45241

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS5.3AI score0.00041EPSS
Exploits0References5
CVE
CVE
added 2026/06/10 8:7 p.m.30 views

CVE-2026-48011

Summary of CVE-2026-48011 (Shopware) : A timing-attack in the admin authentication flow enables an attacker to enumerate administrator usernames. The issue is in the OAuth user lookup path (UserRepository::getUserEntityByUserCredentials). If a username is not found, the code returns quickly; if f...

3.7CVSS5.4AI score0.00223EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/04 7:33 p.m.4 views

User Impersonation

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to User Impersonation via the handle-payment endpoint. An attacker can trigger payment flows for orders belonging to other users by supplying a valid...

5.3CVSS5.8AI score0.0005EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:33 p.m.4 views

Missing Authorization

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API reques...

7.1CVSS5.8AI score0.00041EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:28 p.m.6 views

Improper Privilege Management

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Improper Privilege Management via the upsertUser function. An attacker can gain unauthorized administrative privileges by creating or updating user...

8.5CVSS5.8AI score0.00034EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:23 p.m.4 views

Missing Authorization

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Missing Authorization via the Sync API process. An attacker can gain unauthorized administrative privileges by creating an integration with elevated...

8.5CVSS5.8AI score0.00034EPSS
Exploits0References2
Rows per page
Query Builder