CVE-2025-67648 — Cross-site Scripting in Shopware

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 83.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Storefront

Timeline

Latest updateDec 9

PublishedDec 11

Description

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Packagistshopware/storefront6.4.6.0 — 6.6.10.10+1

▶NVDshopware/shopware6.4.6.0 — 6.6.10.10+1

▶Packagistshopware/shopware6.4.6.0 — 6.6.10.10+1

▶CVEListV5shopware/shopware>= 6.4.6.0, < 6.6.10.10, >= 6.7.0.0, < 6.7.5.1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Shopware Storefront Reflected XSS in Storefront Login Page↗2025-12-09

▶

GHSA

Shopware Storefront Reflected XSS in Storefront Login Page↗2025-12-09

▶

🕵️Threat Intelligence

Wiz

CVE-2025-67648 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶