Security Advisories - shopware/core

shopware/core Security Advisories for v6.7.5.0 (13)

[MEDIUM] Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

PKSA-9x83-17hb-ky3t CVE-2026-48013 GHSA-gq96-5pfx-f4vc

Affected version: >=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Stored XSS via SVG file upload — no SVG sanitization

PKSA-qf56-zbmm-29m8 CVE-2026-48015 GHSA-xvhc-gm7j-mhmc

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

PKSA-y5sy-w7mt-r97k CVE-2026-48016 GHSA-9v5m-39wh-5chq

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Admin API ACL Bypass in Order State Transition Endpoints

PKSA-rnpb-7fbj-phyz CVE-2026-48014 GHSA-f8q6-3g5w-jjr6

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware SSO referer trust leading to an arbitrary redirect target

PKSA-xknd-fd7t-crfc CVE-2026-48012 GHSA-4x3x-869w-xx3m

Affected version: >=6.7.3.0,<6.7.10.1

Reported by:
GitHub
[LOW] Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

PKSA-yt77-qm1k-2vvb CVE-2026-48011 GHSA-7w52-7jvm-m9vw

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

PKSA-fstf-sh35-tmx7 CVE-2026-48010 GHSA-v39m-97p8-gqg7

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure

PKSA-946b-qy3w-67d7 CVE-2026-48009 GHSA-8v9p-g828-v98f

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[MEDIUM] Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

PKSA-zymb-qg2c-csgb CVE-2026-48008 GHSA-gv8p-48fr-4fxg

Affected version: <6.6.10.18|>=6.7.0.0,<6.7.10.1

Reported by:
GitHub
[HIGH] Shopware vulnerable to a potential take over of app credentials

PKSA-fyfg-936j-xtjc CVE-2026-31889 GHSA-c4p7-rwrg-pf6p

Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1

Reported by:
GitHub
[MEDIUM] Shopware has user enumeration via distinct error codes on Store API login endpoint

PKSA-cck7-yytv-pqc6 CVE-2026-31888 GHSA-gqc5-xv7m-gcjq

Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1

Reported by:
GitHub
[HIGH] Shopware: Unauthenticated data extraction possible through store-api.order endpoint

PKSA-1d39-xhww-sgwf CVE-2026-31887 GHSA-7vvp-j573-5584

Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1

Reported by:
GitHub
[HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views

PKSA-sj7p-kg8p-gg2k CVE-2026-23498 GHSA-7cw6-7h3h-v8pf

Affected version: >=6.7.0.0,<6.7.6.1

Reported by:
GitHub

shopware/core Security Advisories for v6.7.5.0 (13)

[MEDIUM] Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

[MEDIUM] Shopware: Stored XSS via SVG file upload — no SVG sanitization

[MEDIUM] Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

[MEDIUM] Shopware: Admin API ACL Bypass in Order State Transition Endpoints

[MEDIUM] Shopware SSO referer trust leading to an arbitrary redirect target

[LOW] Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

[MEDIUM] Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

[MEDIUM] Shopware: Admin Account Takeover via User Recovery Hash Exposure

[MEDIUM] Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

[HIGH] Shopware vulnerable to a potential take over of app credentials

[MEDIUM] Shopware has user enumeration via distinct error codes on Store API login endpoint

[HIGH] Shopware: Unauthenticated data extraction possible through store-api.order endpoint

[HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views