1010 matches found
CVE-2026-48015
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...
CVE-2026-48010
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...
CVE-2026-48014
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
CVE-2026-48008
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...
CVE-2026-48009
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...
CVE-2026-48009 Shopware: Admin Account Takeover via User Recovery Hash Exposure
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...
CVE-2026-48009 Shopware: Admin Account Takeover via User Recovery Hash Exposure
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...
CVE-2026-48009
Shopware vulnerability CVE-2026-48009: A low-privilege admin with user_recovery:read can takeover any admin by triggering password recovery, reading the recovery hash via Admin API, and resetting the password. Root cause: the hash field in UserRecoveryDefinition was exposed in the Admin API (no A...
EUVD-2026-45242
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...
CVE-2026-48014
Summary: CVE-2026-48014 affects Shopware open commerce platforms prior to 6.6.10.18 and 6.7.10.1, where Admin API order state transition routes (/api/_action/order/{orderId}/state/{transition} and related endpoints) could bypass ACL checks. The routes did not declare PlatformRequest::ATTRIBUTE_AC...
CVE-2026-48014 Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
EUVD-2026-45241
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...
CVE-2026-48010
Summary: CVE-2026-48010 affects Shopware core prior to versions 6.6.10.18 and 6.7.10.1. The vulnerability arises when UserController::upsertUser() writes raw request data in SYSTEM_SCOPE without filtering the admin field, allowing a non-admin API user with user:create or user:update ACL to set ad...
CVE-2026-48010 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...
EUVD-2026-45240
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...
CVE-2026-48016 Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php witho...
EUVD-2026-45239
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php witho...
CVE-2026-48015 Shopware: Stored XSS via SVG file upload — no SVG sanitization
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...
CVE-2026-48015
Shopware core is affected by CVE-2026-48015 due to SVG files being allowed in the media upload whitelist and not sanitized in the upload pipeline (MediaUploadController → FileSaver → TypeDetector). Prior to versions 6.6.10.18 and 6.7.10.1, uploading SVGs could allow embedded JavaScript (onload, [...
CVE-2026-48015 Shopware: Stored XSS via SVG file upload — no SVG sanitization
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowedextensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from...