Shopware Storefront vulnerabilities

5 known vulnerabilities affecting shopware/storefront.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2025-67648HIGH≥ 6.4.6.0, < 6.6.10.10≥ 6.7.0.0, < 6.7.5.12025-12-09

CVE-2025-67648 [HIGH] CWE-79 Shopware Storefront Reflected XSS in Storefront Login Page Shopware Storefront Reflected XSS in Storefront Login Page ### Impact By exploiting the XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: Obtaining user session tokens. Performing administrative actions (when an administrative user is affected). These vulnerabilities

CVE-2024-27917HIGH≥ 6.5.8.0, < 6.5.8.72024-03-06

CVE-2024-27917 [HIGH] CWE-524 Shopware's session is persistent in Cache for 404 pages Shopware's session is persistent in Cache for 404 pages ### Impact The Symfony Session Handler, pop's the Session Cookie and assign it to the Response. Since Shopware 6.5.8.0 the 404 pages, are cached, to improve the performance of 404 pages. So the cached Response, contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Se

CVE-2022-24746MEDIUM≥ 0, < 6.4.8.12022-03-10

CVE-2022-24746 [MEDIUM] CWE-79 HTML injection possibility in voucher code form in Shopware HTML injection possibility in voucher code form in Shopware ### Impact HTML injection possibility in voucher code form ## Patches Patched in 6.4.8.1, maintainers recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.

CVE-2022-24747MEDIUM≥ 0, < 6.4.8.22022-03-10

CVE-2022-24747 [MEDIUM] CWE-200 HTTP caching is marking private HTTP headers as public in Shopware HTTP caching is marking private HTTP headers as public in Shopware ### Impact HTTP caching is marking private HTTP headers as public ## Patches Fixed in recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workarounds For older versions of 6.1

CVE-2022-24745MEDIUM≥ 0, < 6.4.8.22022-03-10

CVE-2022-24745 [MEDIUM] CWE-384 Shopware guest session is shared between customers Shopware guest session is shared between customers ### Impact Guest sessions are shared between customers when HTTP cache is enabled. Setups with Varnish are not affected by this issue ## Patches We recommend updating to the current version 6.4.8.2. You can get the update to 6.4.8.2 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ## Workar