Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/53868?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/53868?format=api", "purl": "pkg:composer/shopware/shopware@5.2.0", "type": "composer", "namespace": "shopware", "name": "shopware", "version": "5.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.6.1", "latest_non_vulnerable_version": "5.7.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/340825?format=api", "vulnerability_id": "VCID-2xvz-338c-dygp", "summary": "Shopware Non-Persistent XSS in the Frontend", "references": [ { "reference_url": "https://community.shopware.com/_detail_2048.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://community.shopware.com/_detail_2048.html" }, { "reference_url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-01-2018?category=shopware-5-en/security-updates", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-01-2018?category=shopware-5-en/security-updates" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2018-01-22.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/shopware/shopware/2018-01-22.yaml" }, { "reference_url": "https://github.com/shopware5/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware5/shopware" }, { "reference_url": "https://github.com/shopware5/shopware/commit/54461aa651566dc2701b873fe6bd94589604751b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware5/shopware/commit/54461aa651566dc2701b873fe6bd94589604751b" }, { "reference_url": "https://github.com/advisories/GHSA-jqr7-5h7r-ch8p", "reference_id": "GHSA-jqr7-5h7r-ch8p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jqr7-5h7r-ch8p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53852?format=api", "purl": "pkg:composer/shopware/shopware@5.3.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.7" } ], "aliases": [ "GHSA-jqr7-5h7r-ch8p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2xvz-338c-dygp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13716?format=api", "vulnerability_id": "VCID-6cb3-b3qq-juap", "summary": "Deserialization of Untrusted Data\nIn `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12799", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.24236", "scoring_system": "epss", "scoring_elements": "0.96183", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12799" }, { "reference_url": "https://github.com/advisories/GHSA-6m27-7cqj-2mxw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6m27-7cqj-2mxw" }, { "reference_url": "https://github.com/rapid7/metasploit-framework/pull/11828", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rapid7/metasploit-framework/pull/11828" }, { "reference_url": "https://github.com/shopware5/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware5/shopware" }, { "reference_url": "https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12799", "reference_id": "CVE-2019-12799", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12799" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57225?format=api", "purl": "pkg:composer/shopware/shopware@5.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.1" } ], "aliases": [ "CVE-2019-12799", "GHSA-rf8f-hqjv-986p" ], "risk_score": 0.1, "exploitability": "0.5", "weighted_severity": "0.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6cb3-b3qq-juap" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15631?format=api", "vulnerability_id": "VCID-8n77-xfpc-sucm", "summary": "Cross-Site Request Forgery (CSRF)\nShopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.3314", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24879" }, { "reference_url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/" } ], "url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://www.shopware.com/en/changelog-sw5/#5-7-9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/" } ], "url": "https://www.shopware.com/en/changelog-sw5/#5-7-9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24879", "reference_id": "CVE-2022-24879", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24879" }, { "reference_url": "https://github.com/advisories/GHSA-pf38-v6qj-j23h", "reference_id": "GHSA-pf38-v6qj-j23h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pf38-v6qj-j23h" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h", "reference_id": "GHSA-pf38-v6qj-j23h", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60549?format=api", "purl": "pkg:composer/shopware/shopware@5.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9" } ], "aliases": [ "CVE-2022-24879", "GHSA-pf38-v6qj-j23h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8n77-xfpc-sucm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13737?format=api", "vulnerability_id": "VCID-c3rs-ndfu-c3bq", "summary": "Cross-site Scripting\nShopware has XSS via the Query String to the `backend/Login` or `backend/Login/load/` URI.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12935", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0358", "scoring_system": "epss", "scoring_elements": "0.8794", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12935" }, { "reference_url": "http://seclists.org/fulldisclosure/2019/Jun/32", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://seclists.org/fulldisclosure/2019/Jun/32" }, { "reference_url": "https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware" }, { "reference_url": "https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/" }, { "reference_url": "https://www.shopware.com/en/changelog/#5-5-8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.shopware.com/en/changelog/#5-5-8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12935", "reference_id": "CVE-2019-12935", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12935" }, { "reference_url": "https://github.com/advisories/GHSA-8qxh-hcr9-2379", "reference_id": "GHSA-8qxh-hcr9-2379", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8qxh-hcr9-2379" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57244?format=api", "purl": "pkg:composer/shopware/shopware@5.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.5.8" } ], "aliases": [ "CVE-2019-12935", "GHSA-8qxh-hcr9-2379" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c3rs-ndfu-c3bq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12083?format=api", "vulnerability_id": "VCID-c8p5-grny-sue7", "summary": "Cross-site Scripting\nNon-Persistent XSS in shopware.", "references": [ { "reference_url": "https://community.shopware.com/_detail_2048.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://community.shopware.com/_detail_2048.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53869?format=api", "purl": "pkg:composer/shopware/shopware@5.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-ecce-958d-k3fx" }, { "vulnerability": "VCID-mu45-9nhk-f7a5" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.0" } ], "aliases": [ "GMS-2018-77" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8p5-grny-sue7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11248?format=api", "vulnerability_id": "VCID-cdn9-dp2r-fyfg", "summary": "Code Injection\nRemote Code Execution Vulnerability in shopware.", "references": [ { "reference_url": "https://community.shopware.com/_detail_1989.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://community.shopware.com/_detail_1989.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52152?format=api", "purl": "pkg:composer/shopware/shopware@5.2.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-c8p5-grny-sue7" }, { "vulnerability": "VCID-ecce-958d-k3fx" }, { "vulnerability": "VCID-gn89-e5je-ybeb" }, { "vulnerability": "VCID-k6td-39bu-dqa8" }, { "vulnerability": "VCID-mu45-9nhk-f7a5" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vfdj-s7f8-7bf2" }, { "vulnerability": "VCID-vzv3-795x-gfhd" }, { "vulnerability": "VCID-wh8d-hm8t-vkfm" }, { "vulnerability": "VCID-ztq4-mw67-d3g4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.15" } ], "aliases": [ "GMS-2017-341" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cdn9-dp2r-fyfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11794?format=api", "vulnerability_id": "VCID-ecce-958d-k3fx", "summary": "Cross-site Scripting\nShopware is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-15374", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03459", "scoring_system": "epss", "scoring_elements": "0.87732", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-15374" }, { "reference_url": "https://www.exploit-db.com/exploits/43849", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.exploit-db.com/exploits/43849" }, { "reference_url": "https://www.vulnerability-lab.com/get_content.php?id=1922", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vulnerability-lab.com/get_content.php?id=1922" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/json/webapps/43849.txt", "reference_id": "CVE-2017-15374", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/json/webapps/43849.txt" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15374", "reference_id": "CVE-2017-15374", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15374" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53413?format=api", "purl": "pkg:composer/shopware/shopware@5.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.4" } ], "aliases": [ "CVE-2017-15374", "GHSA-mvrx-cmqw-2jgj" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ecce-958d-k3fx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11418?format=api", "vulnerability_id": "VCID-gn89-e5je-ybeb", "summary": "Remote Code Execution Vulnerability\nUnder certain circumstances, it’s possible to execute an authorized foreign code in Shopware.", "references": [ { "reference_url": "http://en.community.shopware.com/_detail_2015.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://en.community.shopware.com/_detail_2015.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52619?format=api", "purl": "pkg:composer/shopware/shopware@5.2.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-c8p5-grny-sue7" }, { "vulnerability": "VCID-ecce-958d-k3fx" }, { "vulnerability": "VCID-mu45-9nhk-f7a5" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.25" } ], "aliases": [ "GMS-2017-135" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gn89-e5je-ybeb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11267?format=api", "vulnerability_id": "VCID-k6td-39bu-dqa8", "summary": "Code Injection\nRemote Code Execution Vulnerability in shopware.", "references": [ { "reference_url": "https://community.shopware.com/_detail_1989.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://community.shopware.com/_detail_1989.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52201?format=api", "purl": "pkg:composer/shopware/shopware@5.2.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-c8p5-grny-sue7" }, { "vulnerability": "VCID-ecce-958d-k3fx" }, { "vulnerability": "VCID-gn89-e5je-ybeb" }, { "vulnerability": "VCID-mu45-9nhk-f7a5" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" }, { "vulnerability": "VCID-wh8d-hm8t-vkfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.16" } ], "aliases": [ "GMS-2017-342" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k6td-39bu-dqa8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13237?format=api", "vulnerability_id": "VCID-mu45-9nhk-f7a5", "summary": "Externally Controlled Reference to a Resource in Another Sphere\nShopware has a PHP Object Instantiation issue via the `sort` parameter to the `loadPreviewAction()` method of the `Shopware_Controllers_Backend_ProductStream` controller, with resultant XXE via instantiation of a `SimpleXMLElement` object.", "references": [ { "reference_url": "http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://packetstormsecurity.com/files/152995/Shopware-createInstanceFromNamedArguments-PHP-Object-Instantiation.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18357", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.57295", "scoring_system": "epss", "scoring_elements": "0.98184", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-18357" }, { "reference_url": "https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe" }, { "reference_url": "https://demo.ripstech.com/projects/shopware_5.3.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://demo.ripstech.com/projects/shopware_5.3.3" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46915.rb", "reference_id": "CVE-2017-18357", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/46915.rb" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18357", "reference_id": "CVE-2017-18357", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18357" }, { "reference_url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb", "reference_id": "CVE-2017-18357", "reference_type": "exploit", "scores": [], "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53413?format=api", "purl": "pkg:composer/shopware/shopware@5.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.4" } ], "aliases": [ "CVE-2017-18357", "GHSA-6m27-7cqj-2mxw" ], "risk_score": 0.2, "exploitability": "0.5", "weighted_severity": "0.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mu45-9nhk-f7a5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/12077?format=api", "vulnerability_id": "VCID-pb56-zbvy-q7b9", "summary": "Non-Persistent XSS\nShopware is affected by two non-persistent Cross-site Scripting (XSS) vulnerabilities in the frontend.", "references": [ { "reference_url": "http://en.community.shopware.com/_detail_2048.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://en.community.shopware.com/_detail_2048.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53852?format=api", "purl": "pkg:composer/shopware/shopware@5.3.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.3.7" } ], "aliases": [ "SW-20878" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pb56-zbvy-q7b9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/13238?format=api", "vulnerability_id": "VCID-vzv3-795x-gfhd", "summary": "Shopware allows SQL Injection by remote authenticated users.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20713", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0062", "scoring_system": "epss", "scoring_elements": "0.70371", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20713" }, { "reference_url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2018", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2018" }, { "reference_url": "https://github.com/shopware5/shopware/commit/73cb46727050e28a0d7c2cf8471baaa3eaf2e5e8", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware5/shopware/commit/73cb46727050e28a0d7c2cf8471baaa3eaf2e5e8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20713", "reference_id": "CVE-2018-20713", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20713" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56326?format=api", "purl": "pkg:composer/shopware/shopware@5.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.4.3" } ], "aliases": [ "CVE-2018-20713", "GHSA-42gv-77f4-r3j9" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vzv3-795x-gfhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11430?format=api", "vulnerability_id": "VCID-wh8d-hm8t-vkfm", "summary": "Code Injection\nRemote Code Execution Vulnerability in shopware.", "references": [ { "reference_url": "https://community.shopware.com/_detail_2015.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://community.shopware.com/_detail_2015.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52619?format=api", "purl": "pkg:composer/shopware/shopware@5.2.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-c8p5-grny-sue7" }, { "vulnerability": "VCID-ecce-958d-k3fx" }, { "vulnerability": "VCID-mu45-9nhk-f7a5" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.25" } ], "aliases": [ "GMS-2017-343" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wh8d-hm8t-vkfm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11264?format=api", "vulnerability_id": "VCID-ztq4-mw67-d3g4", "summary": "Remote Code Execution Vulnerability\nUnder certain circumstances, it’s possible to execute an unauthorized foreign code in Shopware.", "references": [ { "reference_url": "http://en.community.shopware.com/_detail_1989.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://en.community.shopware.com/_detail_1989.html" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/52201?format=api", "purl": "pkg:composer/shopware/shopware@5.2.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6cb3-b3qq-juap" }, { "vulnerability": "VCID-c3rs-ndfu-c3bq" }, { "vulnerability": "VCID-c8p5-grny-sue7" }, { "vulnerability": "VCID-ecce-958d-k3fx" }, { "vulnerability": "VCID-gn89-e5je-ybeb" }, { "vulnerability": "VCID-mu45-9nhk-f7a5" }, { "vulnerability": "VCID-pb56-zbvy-q7b9" }, { "vulnerability": "VCID-vzv3-795x-gfhd" }, { "vulnerability": "VCID-wh8d-hm8t-vkfm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.16" } ], "aliases": [ "GMS-2017-106" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ztq4-mw67-d3g4" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.2.0" }