CVE-2026-48011

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

CVE-2026-48011 Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

CVE-2026-48011

Summary of CVE-2026-48011 (Shopware) : A timing-attack in the admin authentication flow enables an attacker to enumerate administrator usernames. The issue is in the OAuth user lookup path (UserRepository::getUserEntityByUserCredentials). If a username is not found, the code returns quickly; if f...

GHSA-7W52-7JVM-M9VW Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Summary There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack. Details The faulty code exists in src/Core/Framework/Api/OAuth/UserRepository.php: public function getUserEntityByUserCredentials string $username,...

PT-2026-46887

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.18 Shopware versions prior to 6.7.10.1 Description An attacker can enumerate administrator usernames by performing a timing attack. This occurs because the getUserEntityByUserCredentials function in the...

CVE-2025-14609 Wise Analytics <= 1.1.9 - Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via 'name' Parameter

The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive...

CVE-2022-27442

TPCMS v3.2 allows attackers to access the ThinkPHP log directory and obtain sensitive information such as the administrator's user name and password...

PHP Real Estate Classifieds &quot;id&quot; SQL Injection

t0pP8uZz & xprog have reported a vulnerability in PHP Real Estate Classifieds, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id" parameter in fullnews.php is not properly sanitised before being used in SQL queries. This can be exploited to...