GHSA-GQ96-5PFX-F4VC Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

Summary The /api/action/media/external-link endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel uploadFromURL flow validates target IPs against private/reserved ranges via FileUrlValidator, the linkURL flow only...

Shopware: Stored XSS via SVG file upload — no SVG sanitization

SVG files are in the allowedextensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Problem...

GHSA-XVHC-GM7J-MHMC Shopware: Stored XSS via SVG file upload — no SVG sanitization

SVG files are in the allowedextensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript onload, , executes in the context of the Shopware domain when accessed. The Problem...

Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

GHSA-4X3X-869W-XX3M Shopware SSO referer trust leading to an arbitrary redirect target

Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...

Shopware SSO referer trust leading to an arbitrary redirect target

Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...

Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Summary There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack. Details The faulty code exists in src/Core/Framework/Api/OAuth/UserRepository.php: public function getUserEntityByUserCredentials string $username,...

GHSA-V39M-97P8-GQG7 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

UserController::upsertUser writes user data in SYSTEMSCOPE and does not filter the admin field. A non-admin API user with user:create or user:update ACL permission can set admin: true on new or existing users, escalating to full admin access. The Problem In...

Shopware < 5.5.8 - Cross-Site Scripting

Shopware before 5.5.8 contains a reflected cross-site scripting XSS caused by unsanitized query string parameters in the backend/Login or backend/Login/load/ URI, letting attackers execute arbitrary scripts in the context of the victim's browser, exploit requires sending crafted URL to the victim...

Shopware < 6.5.8.13 - SQL Injection

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" ...

PT-2026-46847

Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...

PT-2026-46888

Description This report describes an open redirect in Shopware's public SSO entry point at GET /api/oauth/sso/auth. When the endpoint is reached without the expected SSO session state, the application falls back to the request's Referer header and uses that value as the redirect destination. In t...

CVE-2026-48012

creationtimestamp| type| source ---|---|--- 2026-05-19 16:06:53+00:00| published-proof-of-concept| https://github.com/shopware/shopware/security/advisories/GHSA-4x3x-869w-xx3m...

CVE-2026-48011

creationtimestamp| type| source ---|---|--- 2026-05-19 16:06:31+00:00| published-proof-of-concept| https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw...

Improper Authentication

Shopware is vulnerable to Improper Authentication. The vulnerability is due to insufficient validation and binding of shop installations to their original domains during app re-registration, which allows an attacker to hijack app communication and obtain API credentials intended for legitimate...

📄 Shopware Improper Control

Shopware versions greater than or equal to 6.7.0.0 and less than 6.7.6.1 has an improper control related to Twig rendered views. CVE-2026-23498: Shopware Has Improper Control of Generation of Code in Twig rendered views Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23498 | | Severity...

CVE-2026-32142

Shopware is an open commerce platform. /api/info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15...

CVE-2026-32100

Shopware is an open commerce platform. /api/info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7...

CVE-2026-31889

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based...

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...