Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-27892 — SQL Injection in Shopware

CWE-89 — SQL Injection4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

2.8%

top 13.90%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Shopware Shopware Core Shopware Platform

Timeline

Latest updateApr 8

PublishedApr 15

Description

Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:LExploitability: 2.1 | Impact: 4.7

Affected Packages3 packages

▶Packagistshopware/core6.7.0.0-rc1 — 6.7.0.0-rc2+2

▶NVDshopware/shopware6.6.0.0 — 6.6.10.3+2

▶Packagistshopware/platform6.7.0.0-rc1 — 6.7.0.0-rc2+2

🔴Vulnerability Details

GHSA

Shopware Vulnerable to Blind SQL-injection in DAL aggregations↗2025-04-08

▶

OSV

Shopware Vulnerable to Blind SQL-injection in DAL aggregations↗2025-04-08

▶

💥Exploits & PoCs

Nuclei

Shopware < 6.5.8.13 - SQL Injection

▶