EUVD-2025-10290

Malicious code in bioql PyPI...

EUVD-2025-23653

Malicious code in bioql PyPI...

CVE-2025-51541

A stored cross-site scripting XSS vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The cdatabaseschema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious...

CVE-2025-51541

A stored cross-site scripting XSS vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The cdatabaseschema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious...

CVE-2025-51541

A stored cross-site scripting XSS vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The cdatabaseschema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious...

CVE-2025-51541

Shopware 6 stores user input in /recovery/install/database-configuration/ via the c_database_schema field without proper sanitization, enabling stored XSS. The issue can be triggered through a CSRF-enabled POST; lack of CSRF protections allows an unauthenticated attacker to craft a page that stor...

CVE-2025-30150 Shopware 6 allows attackers to check for registered accounts through the store-api

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...

PT-2025-15422 · Shopware · Shopware 6

Name of the Vulnerable Software and Affected Versions: Shopware 6 versions prior to 6.6.10.3 Shopware 6 versions prior to 6.5.8.17 Description: The issue allows an attacker to determine if a specific email address has an account in the shop. This is achieved through the store-api endpoint...

CVE-2023-2017

Server-side Template Injection SSTI in Shopware 6 = v6.4.20.0, v6.5.0.0-rc1 = v6.5.0.0-rc4, affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in...

CVE-2023-2017

Server-side Template Injection SSTI in Shopware 6 = v6.4.20.0, v6.5.0.0-rc1 = v6.5.0.0-rc4, affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in...

Input validation

Server-side Template Injection SSTI in Shopware 6 = v6.4.20.0, v6.5.0.0-rc1 = v6.5.0.0-rc4, affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in...

CVE-2023-2017 Improper Control of Generation of Code in Twig Rendered Views in Shopware

Server-side Template Injection SSTI in Shopware 6 = v6.4.20.0, v6.5.0.0-rc1 = v6.5.0.0-rc4, affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in...

CVE-2023-2017

Shopware 6 experienced a regression of CVE-2023-2017 in versions 6.7.0.0 to before 6.7.6.1, where an array- and array-crafted PHP Closure could bypass allow-list checks for map(...) overrides in Twig rendered views. This reopens the security issue by not properly filtering generatedCode in Twig, ...

Shopware database password is leaked to an unauthenticated users

In Shopware 6 before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. This vulnerability does not affect the shopware 5 release branch shopware/shopware on packagist...

GHSA-952P-FQCP-G8PC HTML injection possibility in voucher code form in Shopware

Impact HTML injection possibility in voucher code form Patches Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/shopware-6...