EUVD-2026-11296

Shopware: Unauthenticated data extraction possible through store-api.order endpoint...

PT-2026-24793

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

Access Control Bypass

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Access Control Bypass due to improper access control mechanisms. An attacker can access documents of other customers by guessing the deepLinkCode of a document. Remediation Upgrade...

PT-2025-15898 · Packagist · Shopware/Core +1

Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers Patches Update to Shopware 6.6.10.3 or 6.5.8.17 Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend...