shopware/platform Security Advisories for 6.5.x-dev (9)
-
[HIGH] Shopware vulnerable to a potential take over of app credentials
PKSA-qj2q-c8sp-3qyg CVE-2026-31889 GHSA-c4p7-rwrg-pf6p
Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1
Reported by:
GitHub -
[MEDIUM] Shopware has user enumeration via distinct error codes on Store API login endpoint
PKSA-8zg6-v85t-wcz3 CVE-2026-31888 GHSA-gqc5-xv7m-gcjq
Affected version: <6.6.10.14|>=6.7.0.0,<6.7.8.1
Reported by:
GitHub -
[HIGH] Shopware: Unauthenticated data extraction possible through store-api.order endpoint
PKSA-bwqq-zb6b-g5dh CVE-2026-31887 GHSA-7vvp-j573-5584
Affected version: <6.6.10.15|>=6.7.0.0,<6.7.8.1
Reported by:
GitHub -
[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled
PKSA-g23j-x3sb-wcbc GHSA-r2vg-hvjm-fg38
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping
PKSA-cb17-wqsx-y85w GHSA-27c9-vp3w-6ww8
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
PKSA-ph5g-5w5h-nqtz GHSA-3cpp-fv95-mpr5
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[LOW] Shopware vulnerable to path traversal via Plugin upload
PKSA-wg2b-w14d-z55p GHSA-6wh5-mw9h-5c3w
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
PKSA-h7xc-cnc9-hq4s GHSA-m895-2hj3-8cg9
Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1
Reported by:
GitHub -
[MEDIUM] Shopware race condition bypasses voucher restrictions
PKSA-sy2r-ddrd-9s1c CVE-2025-7954 GHSA-27gv-mg7w-mm34
Affected version: <=6.6.10.4
Reported by:
GitHub