Security Advisories - shopware/core

shopware/core Security Advisories for 6.4.4.0 (29)

[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled

PKSA-v415-g75g-bqsy GHSA-r2vg-hvjm-fg38

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[MEDIUM] Shopware exposes sensitive user information via CSV export mapping

PKSA-kypv-cx5n-qkc8 GHSA-27c9-vp3w-6ww8

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

PKSA-h5dj-jyqc-4fjr GHSA-3cpp-fv95-mpr5

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[LOW] Shopware vulnerable to path traversal via Plugin upload

PKSA-6wp3-462p-vyty GHSA-6wh5-mw9h-5c3w

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

PKSA-b824-t6kf-bqqz GHSA-m895-2hj3-8cg9

Affected version: <6.6.10.7|>=6.7.0.0,<6.7.3.1

Reported by:
GitHub
[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse

PKSA-8vfm-96b7-t9nt CVE-2025-32378 GHSA-4h9w-7vfp-px8m

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0-rc1,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents

PKSA-frt7-rv6d-9v53 GHSA-68wv-g3fw-pq7q

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations

PKSA-m54b-2v2z-x1bs CVE-2025-27892 GHSA-8g35-7rmw-7f59

Affected version: <6.5.8.18|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1

Reported by:
GitHub
[HIGH] Shopware allows Denial Of Service via password length

PKSA-k472-zz4q-rd5r CVE-2025-30151 GHSA-cgfj-hj93-rmh2

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api

PKSA-dbxn-psgm-2qmr CVE-2025-30150 GHSA-hh7j-6x3q-f52h

Affected version: <=6.5.8.17|>=6.6.0.0,<=6.6.10.2|=6.7.0.0-rc1

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations

PKSA-wp2c-7yp8-5fvs CVE-2024-42357 GHSA-p6w9-r443-r752

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

PKSA-kt1g-n1g2-hzb4 CVE-2024-42356 GHSA-35jp-8cgg-p4wj

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

PKSA-6stq-czfs-1nvv CVE-2024-42355 GHSA-27wp-jvhw-v4xp

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

PKSA-4spx-rq41-wk8h CVE-2024-42354 GHSA-hhcq-ph6w-494g

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware Improper Session Handling in store-api account logout

PKSA-s8vz-878v-gv1c CVE-2024-31447 GHSA-5297-wrrp-rcj7

Affected version: >=6.6.0.0-rc1,<6.6.1.0|>=6.3.5.0,<6.5.8.8

Reported by:
GitHub
[MEDIUM] Broken Access Control order API in Shopware

PKSA-mm7q-gnjj-tttn CVE-2024-22407 GHSA-3867-jc5c-66qf

Affected version: <=6.5.7.3

Reported by:
GitHub
[CRITICAL] Blind SQL injection in shopware

PKSA-ktmn-6519-qrdp CVE-2024-22406 GHSA-qmp9-2xwj-m6m9

Affected version: <=6.5.7.3

Reported by:
GitHub
[HIGH] Improper Control of Generation of Code in Twig rendered views

PKSA-kd1k-vbw9-69fx CVE-2023-2017 GHSA-7v2v-9rm4-7m8f

Affected version: <=6.4.20.0

Reported by:
GitHub
[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription

PKSA-zbt5-mjsz-9f2t CVE-2023-22734 GHSA-46h7-vj7x-fxg2

Affected version: <=6.4.18.0

Reported by:
GitHub
[LOW] Shopware has Insufficient Session Expiration in Administration

PKSA-bnh5-5drc-b8g8 CVE-2023-22732 GHSA-59qg-93jg-236f

Affected version: <=6.4.18.0

Reported by:
GitHub
[LOW] Shopware's log module vulnerable to Improper Output Neutralization

PKSA-88mf-d614-87c1 CVE-2023-22733 GHSA-7cp7-jfp6-jh4f

Affected version: <=6.4.18.0

Reported by:
GitHub
[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

PKSA-s94v-mcmm-ycmg CVE-2023-22731 GHSA-93cw-f5jj-x85w

Affected version: <=6.4.18.0

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart

PKSA-zr2k-54cr-tb84 CVE-2023-22730 GHSA-8r6h-m72v-38fg

Affected version: <=6.4.18.0

Reported by:
GitHub
[HIGH] Server-Side Request Forgery (SSRF) in Shopware

PKSA-34sw-dmrz-s3ct CVE-2022-24871 GHSA-7gm7-8q8v-9gf2

Affected version: <=6.4.9.0

Reported by:
GitHub
[MEDIUM] Incorrect Authentication in shopware

PKSA-3mg1-qgkz-fhzr CVE-2022-24748 GHSA-83vp-6jqg-6cmr

Affected version: <=6.4.8.1

Reported by:
GitHub
[MEDIUM] HTTP caching is marking private HTTP headers as public in Shopware

PKSA-ccnj-bqfc-887j CVE-2022-24747 GHSA-6wrh-279j-6hvw

Affected version: <=6.4.8.1

Reported by:
GitHub
[MEDIUM] HTML injection possibility in voucher code form in Shopware

PKSA-tnyf-cn12-jhmf CVE-2022-24746 GHSA-952p-fqcp-g8pc

Affected version: <=6.4.8.0

Reported by:
GitHub
[LOW] Shopware user session is not logged out if the password is reset via password recovery

PKSA-9h2g-h8jc-v38b CVE-2022-24744 GHSA-w267-m9c4-8555

Affected version: <=6.4.8.0

Reported by:
GitHub
[CRITICAL] Webcache Poisoning in shopware/platform and shopware/core

PKSA-r6j6-5wr2-cc9q GHSA-r64m-qchj-hrjp

Affected version: <=6.4.6.0

Reported by:
GitHub

shopware/core Security Advisories for 6.4.4.0 (29)

[MEDIUM] Shopware Customer Orders can be canceled, even if refunds are disabled

[MEDIUM] Shopware exposes sensitive user information via CSV export mapping

[LOW] Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

[LOW] Shopware vulnerable to path traversal via Plugin upload

[MEDIUM] Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually

[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse

[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents

[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations

[HIGH] Shopware allows Denial Of Service via password length

[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api

[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations

[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

[MEDIUM] Shopware Improper Session Handling in store-api account logout

[MEDIUM] Broken Access Control order API in Shopware

[CRITICAL] Blind SQL injection in shopware

[HIGH] Improper Control of Generation of Code in Twig rendered views

[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription

[LOW] Shopware has Insufficient Session Expiration in Administration

[LOW] Shopware's log module vulnerable to Improper Output Neutralization

[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views

[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart

[HIGH] Server-Side Request Forgery (SSRF) in Shopware

[MEDIUM] Incorrect Authentication in shopware

[MEDIUM] HTTP caching is marking private HTTP headers as public in Shopware

[MEDIUM] HTML injection possibility in voucher code form in Shopware

[LOW] Shopware user session is not logged out if the password is reset via password recovery

[CRITICAL] Webcache Poisoning in shopware/platform and shopware/core