6 matches found
CVE-2026-48014
Summary: CVE-2026-48014 affects Shopware open commerce platforms prior to 6.6.10.18 and 6.7.10.1, where Admin API order state transition routes (/api/_action/order/{orderId}/state/{transition} and related endpoints) could bypass ACL checks. The routes did not declare PlatformRequest::ATTRIBUTE_AC...
EUVD-2026-45241
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
CVE-2026-48011
Summary of CVE-2026-48011 (Shopware) : A timing-attack in the admin authentication flow enables an attacker to enumerate administrator usernames. The issue is in the OAuth user lookup path (UserRepository::getUserEntityByUserCredentials). If a username is not found, the code returns quickly; if f...
User Impersonation
Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to User Impersonation via the handle-payment endpoint. An attacker can trigger payment flows for orders belonging to other users by supplying a valid...
Missing Authorization
Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API reques...
Improper Privilege Management
Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Improper Privilege Management via the upsertUser function. An attacker can gain unauthorized administrative privileges by creating or updating user...