Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/607753?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/607753?format=api", "purl": "pkg:composer/shopware/core@6.4.15.1", "type": "composer", "namespace": "shopware", "name": "core", "version": "6.4.15.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.6.10.15", "latest_non_vulnerable_version": "6.7.8.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212311?format=api", "vulnerability_id": "VCID-43zt-wnjy-rudk", "summary": "Shopware vulnerable to path traversal via Plugin upload", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-6wh5-mw9h-5c3w" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-43zt-wnjy-rudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212314?format=api", "vulnerability_id": "VCID-5b7t-vavj-efae", "summary": "Shopware Customer Orders can be canceled, even if refunds are disabled", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592" }, { "reference_url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-r2vg-hvjm-fg38" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5b7t-vavj-efae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/149874?format=api", "vulnerability_id": "VCID-5yxh-sqdk-37dy", "summary": "Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1. Users on major versions 6.1, 6.2, and 6.3 may also obtain this fix via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22730", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53562", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53689", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53687", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53703", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22730" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22730", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22730" }, { "reference_url": "https://github.com/shopware/platform/commit/4fce12096e54b2033832d9104fa2e68888c2b4e9", "reference_id": "4fce12096e54b2033832d9104fa2e68888c2b4e9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/" } ], "url": "https://github.com/shopware/platform/commit/4fce12096e54b2033832d9104fa2e68888c2b4e9" }, { "reference_url": "https://github.com/advisories/GHSA-8r6h-m72v-38fg", "reference_id": "GHSA-8r6h-m72v-38fg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8r6h-m72v-38fg" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-8r6h-m72v-38fg", "reference_id": "GHSA-8r6h-m72v-38fg", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-8r6h-m72v-38fg" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "security-update-01-2023?category=security-updates", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/607761?format=api", "purl": "pkg:composer/shopware/core@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-d284-ecsh-ebhw" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-g4mm-3wn7-z3dr" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ujfm-g8ne-cqhx" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/379920?format=api", "purl": "pkg:composer/shopware/core@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22730", "GHSA-8r6h-m72v-38fg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5yxh-sqdk-37dy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71295?format=api", "vulnerability_id": "VCID-637f-zxjb-8ufn", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17474", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17628", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17654", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17636", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888", "reference_id": "CVE-2026-31888", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888" }, { "reference_url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31888", "GHSA-gqc5-xv7m-gcjq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-637f-zxjb-8ufn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360508?format=api", "vulnerability_id": "VCID-6tys-6s4d-fqcm", "summary": "Shopware Broken ACL on Document retrieval to access other customers documents\n### Impact\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q" }, { "reference_url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "GHSA-68wv-g3fw-pq7q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "GHSA-68wv-g3fw-pq7q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6tys-6s4d-fqcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/149421?format=api", "vulnerability_id": "VCID-845f-5kns-bqcb", "summary": "Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22732", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61686", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61682", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61576", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00407", "scoring_system": "epss", "scoring_elements": "0.61678", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22732" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22732", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22732" }, { "reference_url": "https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6", "reference_id": "cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/" } ], "url": "https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6" }, { "reference_url": "https://github.com/advisories/GHSA-59qg-93jg-236f", "reference_id": "GHSA-59qg-93jg-236f", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-59qg-93jg-236f" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f", "reference_id": "GHSA-59qg-93jg-236f", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "security-update-01-2023?category=security-updates", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/607761?format=api", "purl": "pkg:composer/shopware/core@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-d284-ecsh-ebhw" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-g4mm-3wn7-z3dr" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ujfm-g8ne-cqhx" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/379920?format=api", "purl": "pkg:composer/shopware/core@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22732", "GHSA-59qg-93jg-236f" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-845f-5kns-bqcb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212350?format=api", "vulnerability_id": "VCID-a8xu-y9nr-9uag", "summary": "Shopware 6's password recovery link does not expire after email change", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13" }, { "reference_url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1" }, { "reference_url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35232?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B9" }, { "url": "http://public2.vulnerablecode.io/api/packages/879127?format=api", "purl": "pkg:composer/shopware/core@6.6.10.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/35236?format=api", "purl": "pkg:composer/shopware/core@6.7.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/879129?format=api", "purl": "pkg:composer/shopware/core@6.7.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1" } ], "aliases": [ "GHSA-2w46-vq8h-98vh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8xu-y9nr-9uag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/62293?format=api", "vulnerability_id": "VCID-d284-ecsh-ebhw", "summary": "Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22407", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28835", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28848", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28859", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28635", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22407" }, { "reference_url": "https://github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22407", "reference_id": "CVE-2024-22407", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22407" }, { "reference_url": "https://github.com/advisories/GHSA-3867-jc5c-66qf", "reference_id": "GHSA-3867-jc5c-66qf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3867-jc5c-66qf" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "reference_id": "GHSA-3867-jc5c-66qf", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T16:09:33Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28430?format=api", "purl": "pkg:composer/shopware/core@6.5.7%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/685851?format=api", "purl": "pkg:composer/shopware/core@6.5.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7.4" } ], "aliases": [ "CVE-2024-22407", "GHSA-3867-jc5c-66qf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d284-ecsh-ebhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71464?format=api", "vulnerability_id": "VCID-dqba-4hk6-eud2", "summary": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26177", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26375", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2639", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26378", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889", "reference_id": "CVE-2026-31889", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889" }, { "reference_url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31889", "GHSA-c4p7-rwrg-pf6p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqba-4hk6-eud2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/150760?format=api", "vulnerability_id": "VCID-g4mm-3wn7-z3dr", "summary": "Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\\Core\\Framework\\Adapter\\Twig\\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2017", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02271", "scoring_system": "epss", "scoring_elements": "0.85005", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.02424", "scoring_system": "epss", "scoring_elements": "0.85519", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.02424", "scoring_system": "epss", "scoring_elements": "0.85527", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.02424", "scoring_system": "epss", "scoring_elements": "0.85517", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2017" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://github.com/shopware/platform/releases/tag/v6.4.20.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform/releases/tag/v6.4.20.1" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2017", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2017" }, { "reference_url": "https://starlabs.sg/advisories/23/23-2017", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://starlabs.sg/advisories/23/23-2017" }, { "reference_url": "https://starlabs.sg/advisories/23/23-2017/", "reference_id": "23-2017", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/" } ], "url": "https://starlabs.sg/advisories/23/23-2017/" }, { "reference_url": "https://github.com/advisories/GHSA-7v2v-9rm4-7m8f", "reference_id": "GHSA-7v2v-9rm4-7m8f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7v2v-9rm4-7m8f" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f", "reference_id": "GHSA-7v2v-9rm4-7m8f", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023", "reference_id": "security-update-04-2023", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379600?format=api", "purl": "pkg:composer/shopware/core@6.4.20%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.20%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/622990?format=api", "purl": "pkg:composer/shopware/core@6.4.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-d284-ecsh-ebhw" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ujfm-g8ne-cqhx" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.20.1" } ], "aliases": [ "CVE-2023-2017", "GHSA-7v2v-9rm4-7m8f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g4mm-3wn7-z3dr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41243?format=api", "vulnerability_id": "VCID-h4gh-jepq-2ue8", "summary": "Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42357", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74858", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74868", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74872", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74787", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42357" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b", "reference_id": "57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b" }, { "reference_url": "https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9", "reference_id": "63c05615694790f5790a04ef889f42b764fa53c9", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42357", "reference_id": "CVE-2024-42357", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42357" }, { "reference_url": "https://github.com/advisories/GHSA-p6w9-r443-r752", "reference_id": "GHSA-p6w9-r443-r752", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p6w9-r443-r752" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752", "reference_id": "GHSA-p6w9-r443-r752", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42357", "GHSA-p6w9-r443-r752" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h4gh-jepq-2ue8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212313?format=api", "vulnerability_id": "VCID-nhdh-f91b-kuex", "summary": "Shopware exposes sensitive user information via CSV export mapping", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083" }, { "reference_url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-27c9-vp3w-6ww8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhdh-f91b-kuex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212312?format=api", "vulnerability_id": "VCID-nzcj-wu6c-pfgw", "summary": "Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4" }, { "reference_url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-3cpp-fv95-mpr5" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcj-wu6c-pfgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/149599?format=api", "vulnerability_id": "VCID-p5f5-9e68-rqdd", "summary": "Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22734", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53687", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53689", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53562", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53703", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22734" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22734", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22734" }, { "reference_url": "https://github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620", "reference_id": "f5a95ee2bcf1e546878450963ef1d9886e59a620", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/" } ], "url": "https://github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620" }, { "reference_url": "https://github.com/advisories/GHSA-46h7-vj7x-fxg2", "reference_id": "GHSA-46h7-vj7x-fxg2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-46h7-vj7x-fxg2" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2", "reference_id": "GHSA-46h7-vj7x-fxg2", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "security-update-01-2023?category=security-updates", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/607761?format=api", "purl": "pkg:composer/shopware/core@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-d284-ecsh-ebhw" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-g4mm-3wn7-z3dr" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ujfm-g8ne-cqhx" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/379920?format=api", "purl": "pkg:composer/shopware/core@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22734", "GHSA-46h7-vj7x-fxg2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p5f5-9e68-rqdd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41060?format=api", "vulnerability_id": "VCID-parp-avvf-v3bu", "summary": "Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42355", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.78052", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.78058", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.78045", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.77977", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42355" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da", "reference_id": "445c6763cc093fbd651e0efaa4150deae4ae60da", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355", "reference_id": "CVE-2024-42355", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355" }, { "reference_url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_id": "d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2" }, { "reference_url": "https://github.com/advisories/GHSA-27wp-jvhw-v4xp", "reference_id": "GHSA-27wp-jvhw-v4xp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27wp-jvhw-v4xp" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp", "reference_id": "GHSA-27wp-jvhw-v4xp", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42355", "GHSA-27wp-jvhw-v4xp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-parp-avvf-v3bu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41262?format=api", "vulnerability_id": "VCID-qhgp-qxed-7qbc", "summary": "Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42356", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62937", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.63047", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.6305", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.63038", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42356" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038", "reference_id": "04183e0c02af3b404eb7d52c683734bfe0595038", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356", "reference_id": "CVE-2024-42356", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356" }, { "reference_url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e", "reference_id": "e43423bcc93c618c3036f94c12aa29514da8cf2e", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e" }, { "reference_url": "https://github.com/advisories/GHSA-35jp-8cgg-p4wj", "reference_id": "GHSA-35jp-8cgg-p4wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35jp-8cgg-p4wj" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj", "reference_id": "GHSA-35jp-8cgg-p4wj", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42356", "GHSA-35jp-8cgg-p4wj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qhgp-qxed-7qbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/149373?format=api", "vulnerability_id": "VCID-radt-bkq9-9ua5", "summary": "Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22731", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02406", "scoring_system": "epss", "scoring_elements": "0.85413", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.02406", "scoring_system": "epss", "scoring_elements": "0.85466", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.02406", "scoring_system": "epss", "scoring_elements": "0.85465", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.02406", "scoring_system": "epss", "scoring_elements": "0.85474", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22731" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22731", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22731" }, { "reference_url": "https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1", "reference_id": "89d1ea154689cb6202e0d3a0ceeae0febb0c09e1", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/" } ], "url": "https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1" }, { "reference_url": "https://github.com/advisories/GHSA-93cw-f5jj-x85w", "reference_id": "GHSA-93cw-f5jj-x85w", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93cw-f5jj-x85w" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w", "reference_id": "GHSA-93cw-f5jj-x85w", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "security-update-01-2023?category=security-updates", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/607761?format=api", "purl": "pkg:composer/shopware/core@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-d284-ecsh-ebhw" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-g4mm-3wn7-z3dr" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ujfm-g8ne-cqhx" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/379920?format=api", "purl": "pkg:composer/shopware/core@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22731", "GHSA-93cw-f5jj-x85w" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-radt-bkq9-9ua5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41018?format=api", "vulnerability_id": "VCID-rfa4-81mz-qqd9", "summary": "Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42354", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62735", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.6273", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62723", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62622", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42354" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01", "reference_id": "ad83d38809df457efef21c37ce0996430334bf01", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42354", "reference_id": "CVE-2024-42354", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42354" }, { "reference_url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_id": "d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2" }, { "reference_url": "https://github.com/advisories/GHSA-hhcq-ph6w-494g", "reference_id": "GHSA-hhcq-ph6w-494g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hhcq-ph6w-494g" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g", "reference_id": "GHSA-hhcq-ph6w-494g", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42354", "GHSA-hhcq-ph6w-494g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rfa4-81mz-qqd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42684?format=api", "vulnerability_id": "VCID-s7y9-5z3z-syec", "summary": "Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31447", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.3744", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.3745", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37262", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00164", "scoring_system": "epss", "scoring_elements": "0.37463", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-31447" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77", "reference_id": "5cc84ddd817ad0c1d07f9b3c79ab346d50514a77", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T15:22:21Z/" } ], "url": "https://github.com/shopware/shopware/commit/5cc84ddd817ad0c1d07f9b3c79ab346d50514a77" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31447", "reference_id": "CVE-2024-31447", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31447" }, { "reference_url": "https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3", "reference_id": "d29775aa758f70d08e0c5999795c7c26d230e7d3", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T15:22:21Z/" } ], "url": "https://github.com/shopware/shopware/commit/d29775aa758f70d08e0c5999795c7c26d230e7d3" }, { "reference_url": "https://github.com/advisories/GHSA-5297-wrrp-rcj7", "reference_id": "GHSA-5297-wrrp-rcj7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5297-wrrp-rcj7" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7", "reference_id": "GHSA-5297-wrrp-rcj7", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T15:22:21Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-5297-wrrp-rcj7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30202?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B8" }, { "url": "http://public2.vulnerablecode.io/api/packages/706589?format=api", "purl": "pkg:composer/shopware/core@6.6.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/30206?format=api", "purl": "pkg:composer/shopware/core@6.6.1%2B0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.1%252B0" }, { "url": "http://public2.vulnerablecode.io/api/packages/706599?format=api", "purl": "pkg:composer/shopware/core@6.6.10.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.12" } ], "aliases": [ "CVE-2024-31447", "GHSA-5297-wrrp-rcj7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s7y9-5z3z-syec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212310?format=api", "vulnerability_id": "VCID-sjfg-863y-c3fp", "summary": "Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-m895-2hj3-8cg9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sjfg-863y-c3fp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89802?format=api", "vulnerability_id": "VCID-sq4j-drbr-fub6", "summary": "Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74498", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74495", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74411", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74484", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151" }, { "reference_url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-30151", "GHSA-cgfj-hj93-rmh2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sq4j-drbr-fub6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90154?format=api", "vulnerability_id": "VCID-stdp-p5h7-3kg3", "summary": "Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00619", "scoring_system": "epss", "scoring_elements": "0.70601", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00619", "scoring_system": "epss", "scoring_elements": "0.70604", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74708", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74636", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150" }, { "reference_url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376236?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-30150", "GHSA-hh7j-6x3q-f52h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-stdp-p5h7-3kg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/117184?format=api", "vulnerability_id": "VCID-u41w-g79s-eyez", "summary": "Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79772", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79784", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.7979", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79707", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001" }, { "reference_url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/", "reference_id": "rt-sa-2025-001", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376236?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-27892", "GHSA-8g35-7rmw-7f59" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u41w-g79s-eyez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/62339?format=api", "vulnerability_id": "VCID-ujfm-g8ne-cqhx", "summary": "Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22406", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.62221", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.62223", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.6211", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.62212", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22406" }, { "reference_url": "https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.7.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.7.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22406", "reference_id": "CVE-2024-22406", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22406" }, { "reference_url": "https://github.com/advisories/GHSA-qmp9-2xwj-m6m9", "reference_id": "GHSA-qmp9-2xwj-m6m9", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmp9-2xwj-m6m9" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9", "reference_id": "GHSA-qmp9-2xwj-m6m9", "reference_type": "", "scores": [ { "value": "9.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:42:55Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28430?format=api", "purl": "pkg:composer/shopware/core@6.5.7%2B4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7%252B4" }, { "url": "http://public2.vulnerablecode.io/api/packages/685851?format=api", "purl": "pkg:composer/shopware/core@6.5.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7.4" } ], "aliases": [ "CVE-2024-22406", "GHSA-qmp9-2xwj-m6m9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ujfm-g8ne-cqhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/114442?format=api", "vulnerability_id": "VCID-ykq7-2fy3-b7e1", "summary": "Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63782", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63668", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.6377", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63783", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378" }, { "reference_url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/793116?format=api", "purl": "pkg:composer/shopware/core@6.5.8.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-32378", "GHSA-4h9w-7vfp-px8m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ykq7-2fy3-b7e1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/149549?format=api", "vulnerability_id": "VCID-z266-zw44-13et", "summary": "Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22733", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.5378", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53909", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53905", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.003", "scoring_system": "epss", "scoring_elements": "0.53922", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22733" }, { "reference_url": "https://github.com/shopware/platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/platform" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22733", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22733" }, { "reference_url": "https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07", "reference_id": "407a83063d7141c1a626441799c3ebef79498c07", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07" }, { "reference_url": "https://github.com/advisories/GHSA-7cp7-jfp6-jh4f", "reference_id": "GHSA-7cp7-jfp6-jh4f", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7cp7-jfp6-jh4f" }, { "reference_url": "https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f", "reference_id": "GHSA-7cp7-jfp6-jh4f", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f" }, { "reference_url": "https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging", "reference_id": "performance-tweaks#logging", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging" }, { "reference_url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates", "reference_id": "security-update-01-2023?category=security-updates", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/" } ], "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/607761?format=api", "purl": "pkg:composer/shopware/core@6.4.18.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-d284-ecsh-ebhw" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-g4mm-3wn7-z3dr" }, { "vulnerability": "VCID-h4gh-jepq-2ue8" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-parp-avvf-v3bu" }, { "vulnerability": "VCID-qhgp-qxed-7qbc" }, { "vulnerability": "VCID-rfa4-81mz-qqd9" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ujfm-g8ne-cqhx" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/379920?format=api", "purl": "pkg:composer/shopware/core@6.4.18%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1" } ], "aliases": [ "CVE-2023-22733", "GHSA-7cp7-jfp6-jh4f" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z266-zw44-13et" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71472?format=api", "vulnerability_id": "VCID-zhxv-e8fu-tucd", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16072", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1605", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15931", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16084", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887", "reference_id": "CVE-2026-31887", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887" }, { "reference_url": "https://github.com/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vvp-j573-5584" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31887", "GHSA-7vvp-j573-5584" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhxv-e8fu-tucd" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.15.1" }