shopware/core Security Advisories for v6.7.3.0 (19)
-
[MEDIUM] Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation
PKSA-9x83-17hb-ky3t CVE-2026-48013 GHSA-gq96-5pfx-f4vc
Affected version: >=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Stored XSS via SVG file upload — no SVG sanitization
PKSA-qf56-zbmm-29m8 CVE-2026-48015 GHSA-xvhc-gm7j-mhmc
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
PKSA-y5sy-w7mt-r97k CVE-2026-48016 GHSA-9v5m-39wh-5chq
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Admin API ACL Bypass in Order State Transition Endpoints
PKSA-rnpb-7fbj-phyz CVE-2026-48014 GHSA-f8q6-3g5w-jjr6
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware SSO referer trust leading to an arbitrary redirect target
PKSA-xknd-fd7t-crfc CVE-2026-48012 GHSA-4x3x-869w-xx3m
Affected version: >=6.7.3.0,<6.7.10.1
Reported by:
GitHub -
[LOW] Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
PKSA-yt77-qm1k-2vvb CVE-2026-48011 GHSA-7w52-7jvm-m9vw
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts
PKSA-fstf-sh35-tmx7 CVE-2026-48010 GHSA-v39m-97p8-gqg7
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure
PKSA-946b-qy3w-67d7 CVE-2026-48009 GHSA-8v9p-g828-v98f
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[MEDIUM] Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
PKSA-zymb-qg2c-csgb CVE-2026-48008 GHSA-gv8p-48fr-4fxg
Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1
Reported by:
GitHub -
[HIGH] Shopware vulnerable to a potential take over of app credentials
PKSA-fyfg-936j-xtjc CVE-2026-31889 GHSA-c4p7-rwrg-pf6p
Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1
Reported by:
GitHub -
[MEDIUM] Shopware has user enumeration via distinct error codes on Store API login endpoint
PKSA-cck7-yytv-pqc6 CVE-2026-31888 GHSA-gqc5-xv7m-gcjq
Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1
Reported by:
GitHub -
[HIGH] Shopware: Unauthenticated data extraction possible through store-api.order endpoint
PKSA-1d39-xhww-sgwf CVE-2026-31887 GHSA-7vvp-j573-5584
Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1
Reported by:
GitHub -
[HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views
PKSA-sj7p-kg8p-gg2k CVE-2026-23498 GHSA-7cw6-7h3h-v8pf
Affected version: >=6.7.0.0,<6.7.6.1
Reported by:
GitHub -
[MEDIUM] Shopware 6's password recovery link does not expire after email change
PKSA-w3qy-s9h7-2hqr GHSA-2w46-vq8h-98vh
Affected version: >=6.7.0.0,<6.7.4.1|<6.6.10.9
Reported by:
GitHub -
[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled
PKSA-v415-g75g-bqsy GHSA-r2vg-hvjm-fg38
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping
PKSA-kypv-cx5n-qkc8 GHSA-27c9-vp3w-6ww8
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
PKSA-h5dj-jyqc-4fjr GHSA-3cpp-fv95-mpr5
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to path traversal via Plugin upload
PKSA-6wp3-462p-vyty GHSA-6wh5-mw9h-5c3w
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
PKSA-b824-t6kf-bqqz GHSA-m895-2hj3-8cg9
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub