GHSA-9V5M-39WH-5CHQ Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

EUVD-2026-11298

Shopware has user enumeration via distinct error codes on Store API login endpoint...

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-3231

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the...

Improper Input Validation

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Improper Input Validation via the password length. This is by submitting excessively long passwords through Storefront forms or Store-API. Remediation Upgrade shopware/platform to version...

CVE-2025-30150 Shopware 6 allows attackers to check for registered accounts through the store-api

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates...

CVE-2025-2707

A vulnerability, which was classified as critical, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected by this issue is some unknown functionality of the file /app-api/infra/file/upload of the component Front-End Store Interface. The manipulation of the argument path leads to path...

CVE-2025-2707

A vulnerability, which was classified as critical, has been found in zhijiantianya ruoyi-vue-pro 2.4.1. Affected by this issue is some unknown functionality of the file /app-api/infra/file/upload of the component Front-End Store Interface. The manipulation of the argument path leads to path...

Shopware 安全漏洞

Shopware is a suite of open source e-commerce software from the German company Shopware. A security vulnerability exists in Shopware versions 6.6.5.1 and 6.5.8.13 and earlier, which stems from the fact that its store-API does not properly take into account ManyToMany associations when handling...

PT-2024-24081 · Shopware · Shopware 6

Name of the Vulnerable Software and Affected Versions: Shopware 6 versions 6.3.5.0 through 6.6.1.0 and prior to 6.5.8.8 can be simplified to: Shopware 6 versions 6.3.5.0 through 6.6.0 and versions 6.5.0 through 6.5.8.7 Description: Shopware 6 is an open commerce platform based on Symfony Framewor...

PT-2024-14126 · Geoserver · Geoserver

Name of the Vulnerable Software and Affected Versions: GeoServer versions prior to 2.23.4 and 2.24.1 Description: An arbitrary file upload vulnerability exists that enables an authenticated administrator with permissions to modify coverage stores through the "REST Coverage Store API" to upload...

Shopware 信息泄露漏洞

Shopware is an open source e-commerce platform. An information disclosure vulnerability exists in versions of Shopware prior to 6.3.5.1. An attacker can exploit this vulnerability to obtain sensitive information via the Store-API...

Samsung Galaxy Apps Trust Management Issue Vulnerability

Samsung Galaxy Apps is a pre-installed application store program for Samsung mobile devices from Samsung South Korea. A security vulnerability exists in Samsung Galaxy Apps versions prior to 4.4.01.7. An attacker can exploit the vulnerability to modify the hostname to mimic the app store's API,...