Shopware Platform vulnerabilities

CVE-2026-31889 [HIGH] CWE-290 CVE-2026-31889: Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopwa Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop install

CVE-2026-31887 [HIGH] CWE-863 CVE-2026-31887: Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.

CVE-2026-31888 [MEDIUM] CWE-204 CVE-2026-31888: Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" resp

CVE-2025-7954 [MEDIUM] CWE-362 Shopware race condition bypasses voucher restrictions Shopware race condition bypasses voucher restrictions A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.

CVE-2025-32378 [LOW] CWE-1188 Shopware default newsletter opt-in settings allow for mass sign-up abuse Shopware default newsletter opt-in settings allow for mass sign-up abuse ### Impact Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are: Newsletter: Double Opt-in - active Newsletter: Double opt-in for registered customers - disabled Log-in & sign-up: Double opt-in on sign-up - disabled With these sett

CVE-2025-27892 [HIGH] CWE-89 Shopware Vulnerable to Blind SQL-injection in DAL aggregations Shopware Vulnerable to Blind SQL-injection in DAL aggregations ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” **in nested** object is vulnerabl

CVE-2025-30151 [HIGH] CWE-20 Shopware allows Denial Of Service via password length Shopware allows Denial Of Service via password length ### Impact It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. ### Patches Update to Shopware 6.6.10.3 or 6.5.8.17 ### Workarounds For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopwa

CVE-2025-30150 [MEDIUM] CWE-204 Shopware 6 allows attackers to check for registered accounts through the store-api Shopware 6 allows attackers to check for registered accounts through the store-api ### Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint `/store-api/account/recovery-password` you get the response ``` {"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not F

CVE-2024-42356 [HIGH] CWE-1336 Shopware vulnerable to Server Side Template Injection in Twig using Context functions Shopware vulnerable to Server Side Template Injection in Twig using Context functions ### Impact The `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. Example call from PHP: ```php $co

CVE-2024-42355 [HIGH] CWE-1336 Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag ### Impact Shopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. It accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. ### Patches U

CVE-2024-42354 [MEDIUM] CWE-284 Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api ### Impact The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. The processing of the Criteria did not cons

CVE-2024-42357 [MEDIUM] CWE-89 Shopware vulnerable to blind SQL-injection in DAL aggregations Shopware vulnerable to blind SQL-injection in DAL aggregations ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-inject

CVE-2024-31447 [MEDIUM] CWE-613 Shopware Improper Session Handling in store-api account logout Shopware Improper Session Handling in store-api account logout ### Impact When a authentificated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. ### Patches The problem has been fix

CVE-2024-27917 [HIGH] CWE-524 Shopware's session is persistent in Cache for 404 pages Shopware's session is persistent in Cache for 404 pages ### Impact The Symfony Session Handler, pop's the Session Cookie and assign it to the Response. Since Shopware 6.5.8.0 the 404 pages, are cached, to improve the performance of 404 pages. So the cached Response, contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Se

CVE-2024-22406 [CRITICAL] CWE-89 Blind SQL injection in shopware Blind SQL injection in shopware ### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. ### P

CVE-2024-22407 [MEDIUM] CWE-284 Broken Access Control order API in Shopware Broken Access Control order API in Shopware ### Impact In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. ### Patches Update to Shopware 6.5.7.4 ### Workarounds For older version

CVE-2023-2017 [HIGH] CWE-1336 Shopware Has Improper Control of Generation of Code in Twig rendered views Shopware Has Improper Control of Generation of Code in Twig rendered views ### Impact We fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list ### Patches The p

CVE-2023-22732 [CRITICAL] CWE-613 CVE-2023-22732: Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administrati Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will

CVE-2023-22731 [HIGH] CWE-94 CVE-2023-22731: Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig enviro Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twi

CVE-2023-22730 [HIGH] CWE-20 CVE-2023-22730: Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected vers Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1.