cbcvebase.
CVE-2025-27892
published 2025-04-15

CVE-2025-27892: Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a…

PriorityP354medium6.8CVSS 3.1
AVNACLPRLUIRSUCHILAL
EXPLOIT
EPSS
11.31%
95.4th percentile
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.

Affected

9 ranges
VendorProductVersion rangeFixed in
shopwarecore>= 0 < 6.5.8.186.5.8.18
shopwarecore>= 6.6.0.0 < 6.6.10.36.6.10.3
shopwarecore>= 6.7.0.0-rc1 < 6.7.0.0-rc26.7.0.0-rc2
shopwareplatform>= 0 < 6.5.8.186.5.8.18
shopwareplatform>= 6.6.0.0 < 6.6.10.36.6.10.3
shopwareplatform>= 6.7.0.0-rc1 < 6.7.0.0-rc26.7.0.0-rc2
shopwareshopware< 6.5.8.176.5.8.17
shopwareshopware
shopwareshopware>= 6.6.0.0 < 6.6.10.36.6.10.3
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.