Shopware Core vulnerabilities

CVE-2026-31889 [HIGH] CWE-290 CVE-2026-31889: Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopwa Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop install

CVE-2026-31887 [HIGH] CWE-863 CVE-2026-31887: Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

CVE-2026-31888 [MEDIUM] CWE-204 CVE-2026-31888: Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" resp

CVE-2026-23498 [HIGH] CWE-94 Shopware Has Improper Control of Generation of Code in Twig rendered views Shopware Has Improper Control of Generation of Code in Twig rendered views ### Impact We fixed with [CVE-2023-2017](https://github.com/advisories/GHSA-7v2v-9rm4-7m8f) Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override ### Patches Patched in 6

CVE-2025-32378 [LOW] CWE-1188 Shopware default newsletter opt-in settings allow for mass sign-up abuse Shopware default newsletter opt-in settings allow for mass sign-up abuse ### Impact Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are: Newsletter: Double Opt-in - active Newsletter: Double opt-in for registered customers - disabled Log-in & sign-up: Double opt-in on sign-up - disabled With these sett

CVE-2025-27892 [HIGH] CWE-89 Shopware Vulnerable to Blind SQL-injection in DAL aggregations Shopware Vulnerable to Blind SQL-injection in DAL aggregations ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” **in nested** object is vulnerabl

CVE-2025-30151 [HIGH] CWE-20 Shopware allows Denial Of Service via password length Shopware allows Denial Of Service via password length ### Impact It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopwa

CVE-2025-30150 [MEDIUM] CWE-204 Shopware 6 allows attackers to check for registered accounts through the store-api Shopware 6 allows attackers to check for registered accounts through the store-api ### Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint `/store-api/account/recovery-password` you get the response ``` {"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not F

CVE-2024-42356 [HIGH] CWE-1336 Shopware vulnerable to Server Side Template Injection in Twig using Context functions Shopware vulnerable to Server Side Template Injection in Twig using Context functions ### Impact The `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. Example call from PHP: ```php $co

CVE-2024-42355 [HIGH] CWE-1336 Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag ### Impact Shopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. ### Patches U

CVE-2024-42354 [MEDIUM] CWE-284 Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api ### Impact The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. The processing of the Criteria did not cons

CVE-2024-42357 [MEDIUM] CWE-89 Shopware vulnerable to blind SQL-injection in DAL aggregations Shopware vulnerable to blind SQL-injection in DAL aggregations ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-inject

CVE-2024-31447 [MEDIUM] CWE-613 Shopware Improper Session Handling in store-api account logout Shopware Improper Session Handling in store-api account logout ### Impact When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. ### Patches The problem has been fix

CVE-2024-22406 [CRITICAL] CWE-89 Blind SQL injection in shopware Blind SQL injection in shopware ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. ### P

CVE-2024-22407 [MEDIUM] CWE-284 Broken Access Control order API in Shopware Broken Access Control order API in Shopware ### Impact In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. ### Patches Update to Shopware 6.5.7.4 ### Workarounds For older version

CVE-2023-2017 [HIGH] CWE-1336 Shopware Has Improper Control of Generation of Code in Twig rendered views Shopware Has Improper Control of Generation of Code in Twig rendered views ### Impact We fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list ### Patches The p

CVE-2023-22734 [MEDIUM] CWE-20 Shopware has Improper Input Validation issue in newsletter subscription Shopware has Improper Input Validation issue in newsletter subscription ### Impact The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. ### Patches The problem has been fixed with 6.4.18.1 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For t

CVE-2023-22733 [LOW] CWE-117 Shopware's log module vulnerable to Improper Output Neutralization Shopware's log module vulnerable to Improper Output Neutralization ### Impact The log module contains all kind of sent mails. It is possible to see the password reset email of customers and admin users to gain probably more access. ### Patches Update to the latest 6.4.18.1 version. ### Workarounds - For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a p

CVE-2023-22732 [LOW] CWE-613 Shopware has Insufficient Session Expiration in Administration Shopware has Insufficient Session Expiration in Administration ### Impact The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. ### Patches We added an automatic logout into the Administration, so the user will be logged out when they are inactive. ### References https://docs.shopware.com/en/shopware-6-en/

CVE-2023-22731 [CRITICAL] CWE-94 Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views ### Impact In Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows in the template to call any global PHP function. ### Patches The problem has been fixed with 6.4.18.1 with an override of the spec