CVE-2026-31888

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-3231

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the...

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

Incorrect Authorization

Shopware is vulnerable to Incorrect Authorization. The vulnerability is due to insufficient validation of filter types in the store-api.order endpoint, which allows an attacker to access orders belonging to other customers without authentication...

Unauthorized Data Access

Shopware is vulnerable to unauthorized data access. The vulnerability is due to an insufficient check on filter types for unauthenticated customers, where the deepLinkCode support on the store-api.order endpoint fails to enforce proper authorization and attackers can retrieve other customers' ord...

Incorrect Authorization

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation of filter types in the store-api.order endpoint. An attacker can access order data belonging to...

GHSA-GQC5-XV7M-GCJQ Shopware has user enumeration via distinct error codes on Store API login endpoint

Summary The Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown CHECKOUTCUSTOMERNOTFOUND. The "not found" response also echoes the...

Shopware has user enumeration via distinct error codes on Store API login endpoint

Summary The Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown CHECKOUTCUSTOMERNOTFOUND. The "not found" response also echoes the...

GHSA-7VVP-J573-5584 Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

EUVD-2026-11296

Shopware: Unauthenticated data extraction possible through store-api.order endpoint...

CVE-2026-31888

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

CVE-2026-31888

Shopware’s Store API login (POST /store-api/account/login) before versions 6.7.8.1 and 6.6.10.15 exposes a user enumeration flaw: it returns different error codes for a registered email vs. an unknown email and echoes the probed address, while the storefront login unifies errors. This inconsisten...

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

CVE-2026-31887

Shopware (open commerce platform) contains a vulnerability in prior releases: before 6.7.8.1 and 6.6.10.15, an insufficient check on filter types for unauthenticated customers on the store-api.order endpoint (deepLinkCode) can allow access to other customers’ orders. This is fixed in 6.7.8.1 and ...

CVE-2026-3231 Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the...