[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled

PKSA-v415-g75g-bqsy GHSA-r2vg-hvjm-fg38

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub

[MEDIUM] Shopware exposes sensitive user information via CSV export mapping

PKSA-kypv-cx5n-qkc8 GHSA-27c9-vp3w-6ww8

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub

[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

PKSA-h5dj-jyqc-4fjr GHSA-3cpp-fv95-mpr5

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub

[LOW] Shopware vulnerable to path traversal via Plugin upload

PKSA-6wp3-462p-vyty GHSA-6wh5-mw9h-5c3w

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub

[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

PKSA-b824-t6kf-bqqz GHSA-m895-2hj3-8cg9

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub

[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations

PKSA-m54b-2v2z-x1bs CVE-2025-27892 GHSA-8g35-7rmw-7f59

Affected version: <6.5.8.18|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1

Reported by:
GitHub

[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api

PKSA-dbxn-psgm-2qmr CVE-2025-30150 GHSA-hh7j-6x3q-f52h

Affected version: <=6.5.8.17|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1

Reported by:
GitHub