Lucene search
+L

50 matches found

Cvelist
Cvelist
added 2 days ago38 views

CVE-2026-48009 Shopware: Admin Account Takeover via User Recovery Hash Exposure

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...

6.8CVSS0.00272EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2 days ago7 views

CVE-2026-48009 Shopware: Admin Account Takeover via User Recovery Hash Exposure

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...

6.8CVSS5.3AI score0.00272EPSS
Exploits0References6
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-45238

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...

4.9CVSS5.5AI score0.00278EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/04 7:35 p.m.8 views

Cross-site Scripting (XSS)

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the SVG file upload process. An attacker can execute arbitrary JavaScript in the context of the application by uploading a malicious SVG file containing...

6.9CVSS5.9AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:33 p.m.7 views

User Impersonation

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to User Impersonation via the handle-payment endpoint. An attacker can trigger payment flows for orders belonging to other users by supplying a valid foreign orderId, potentially causing...

5.3CVSS5.8AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:33 p.m.7 views

Missing Authorization

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Missing Authorization in the orderStateTransition process. An attacker can modify order states without proper privileges by sending crafted API requests directly to the affected endpoints...

7.1CVSS5.8AI score0.00233EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:27 p.m.5 views

Weak Password Recovery Mechanism for Forgotten Password

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password in the userrecovery process. An attacker can gain unauthorized access to any admin account by triggering a password recovery for th...

7.6CVSS5.8AI score0.00272EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/12 6:17 p.m.5 views

EUVD-2026-11663

Shopware is an open commerce platform. /api/info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/12 6:17 p.m.5 views

CVE-2026-32142 shopware/commercial: `/api/_info/config` route exposes information about licenses

Shopware is an open commerce platform. /api/info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/12 6:10 p.m.12 views

EUVD-2026-11642

Shopware is an open commerce platform. /api/info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7...

5.3CVSS5.8AI score0.00201EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.12 views

PT-2026-25031

Shopware is an open commerce platform. /api/ info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7...

5.3CVSS5.8AI score0.00201EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.9 views

PT-2026-25040

CVE-2026-32142 Shopware is an open commerce platform. /api/ info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15. https://t.co/miVHOhaAoF...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/11 8:42 p.m.5 views

User Impersonation

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to User Impersonation in the app registration process. An attacker can gain unauthorized access to sensitive API credentials by exploiting the ability to update the shop-url during...

8.9CVSS5.8AI score0.00267EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/11 6:53 p.m.2 views

CVE-2026-31888

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References2Affected Software2
RedhatCVE
RedhatCVE
added 2026/02/11 1:33 a.m.10 views

CVE-2026-25878

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...

6.9CVSS5.5AI score0.00362EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/09 8:53 p.m.4 views

CVE-2026-25878

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...

6.9CVSS5.5AI score0.00362EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/09 8:53 p.m.5 views

CVE-2026-25878 FroshAdminer Adminer UI is accessible without admin session

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...

6.9CVSS5.5AI score0.00362EPSS
Exploits0References3
CVE
CVE
added 2026/02/09 8:53 p.m.18 views

CVE-2026-25878

FroshAdminer (Shopware Platform) vulnerable in versions prior to 2.2.1 where the Adminer UI at /admin/adminer was exposed without Shopware admin authentication due to auth_required=false and no session validation. This allowed unauthenticated access to the Adminer UI, with a potentially limited i...

6.9CVSS5.5AI score0.00362EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/02/09 8:53 p.m.32 views

CVE-2026-25878 FroshAdminer Adminer UI is accessible without admin session

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...

6.9CVSS0.00362EPSS
Exploits0References3
OSV
OSV
added 2026/02/09 8:53 p.m.6 views

CVE-2026-25878 FroshAdminer Adminer UI is accessible without admin session

FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...

6.9CVSS5.5AI score0.00362EPSS
Exploits0References5
Rows per page
Query Builder