Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/734393?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/734393?format=api", "purl": "pkg:composer/shopware/core@6.5.8.10", "type": "composer", "namespace": "shopware", "name": "core", "version": "6.5.8.10", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.6.10.15", "latest_non_vulnerable_version": "6.7.8.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212311?format=api", "vulnerability_id": "VCID-43zt-wnjy-rudk", "summary": "Shopware vulnerable to path traversal via Plugin upload", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-6wh5-mw9h-5c3w" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-43zt-wnjy-rudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212314?format=api", "vulnerability_id": "VCID-5b7t-vavj-efae", "summary": "Shopware Customer Orders can be canceled, even if refunds are disabled", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592" }, { "reference_url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-r2vg-hvjm-fg38" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5b7t-vavj-efae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71295?format=api", "vulnerability_id": "VCID-637f-zxjb-8ufn", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17474", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17628", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17654", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17636", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888", "reference_id": "CVE-2026-31888", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888" }, { "reference_url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31888", "GHSA-gqc5-xv7m-gcjq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-637f-zxjb-8ufn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360508?format=api", "vulnerability_id": "VCID-6tys-6s4d-fqcm", "summary": "Shopware Broken ACL on Document retrieval to access other customers documents\n### Impact\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q" }, { "reference_url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "GHSA-68wv-g3fw-pq7q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "GHSA-68wv-g3fw-pq7q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6tys-6s4d-fqcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212350?format=api", "vulnerability_id": "VCID-a8xu-y9nr-9uag", "summary": "Shopware 6's password recovery link does not expire after email change", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13" }, { "reference_url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1" }, { "reference_url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35232?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B9" }, { "url": "http://public2.vulnerablecode.io/api/packages/879127?format=api", "purl": "pkg:composer/shopware/core@6.6.10.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/35236?format=api", "purl": "pkg:composer/shopware/core@6.7.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/879129?format=api", "purl": "pkg:composer/shopware/core@6.7.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1" } ], "aliases": [ "GHSA-2w46-vq8h-98vh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8xu-y9nr-9uag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71464?format=api", "vulnerability_id": "VCID-dqba-4hk6-eud2", "summary": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26177", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26375", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2639", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26378", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889", "reference_id": "CVE-2026-31889", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889" }, { "reference_url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31889", "GHSA-c4p7-rwrg-pf6p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqba-4hk6-eud2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41243?format=api", "vulnerability_id": "VCID-h4gh-jepq-2ue8", "summary": "Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42357", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74858", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74868", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74872", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00817", "scoring_system": "epss", "scoring_elements": "0.74787", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42357" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b", "reference_id": "57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b" }, { "reference_url": "https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9", "reference_id": "63c05615694790f5790a04ef889f42b764fa53c9", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42357", "reference_id": "CVE-2024-42357", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42357" }, { "reference_url": "https://github.com/advisories/GHSA-p6w9-r443-r752", "reference_id": "GHSA-p6w9-r443-r752", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p6w9-r443-r752" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752", "reference_id": "GHSA-p6w9-r443-r752", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42357", "GHSA-p6w9-r443-r752" ], "risk_score": 3.3, "exploitability": "0.5", "weighted_severity": "6.6", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h4gh-jepq-2ue8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212313?format=api", "vulnerability_id": "VCID-nhdh-f91b-kuex", "summary": "Shopware exposes sensitive user information via CSV export mapping", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083" }, { "reference_url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-27c9-vp3w-6ww8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhdh-f91b-kuex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212312?format=api", "vulnerability_id": "VCID-nzcj-wu6c-pfgw", "summary": "Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4" }, { "reference_url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-3cpp-fv95-mpr5" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcj-wu6c-pfgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41060?format=api", "vulnerability_id": "VCID-parp-avvf-v3bu", "summary": "Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42355", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.78052", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.78058", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.78045", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01052", "scoring_system": "epss", "scoring_elements": "0.77977", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42355" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da", "reference_id": "445c6763cc093fbd651e0efaa4150deae4ae60da", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355", "reference_id": "CVE-2024-42355", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42355" }, { "reference_url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_id": "d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2" }, { "reference_url": "https://github.com/advisories/GHSA-27wp-jvhw-v4xp", "reference_id": "GHSA-27wp-jvhw-v4xp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27wp-jvhw-v4xp" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp", "reference_id": "GHSA-27wp-jvhw-v4xp", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42355", "GHSA-27wp-jvhw-v4xp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-parp-avvf-v3bu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41262?format=api", "vulnerability_id": "VCID-qhgp-qxed-7qbc", "summary": "Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42356", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62937", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.63047", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.6305", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.63038", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42356" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038", "reference_id": "04183e0c02af3b404eb7d52c683734bfe0595038", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356", "reference_id": "CVE-2024-42356", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42356" }, { "reference_url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e", "reference_id": "e43423bcc93c618c3036f94c12aa29514da8cf2e", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e" }, { "reference_url": "https://github.com/advisories/GHSA-35jp-8cgg-p4wj", "reference_id": "GHSA-35jp-8cgg-p4wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35jp-8cgg-p4wj" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj", "reference_id": "GHSA-35jp-8cgg-p4wj", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42356", "GHSA-35jp-8cgg-p4wj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qhgp-qxed-7qbc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41018?format=api", "vulnerability_id": "VCID-rfa4-81mz-qqd9", "summary": "Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42354", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62735", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.6273", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62723", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00424", "scoring_system": "epss", "scoring_elements": "0.62622", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42354" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_id": "8504ba7e56e53add6a1d5b9d45015e3d899cd0ac", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac" }, { "reference_url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_id": "a784aa1cec0624e36e0ee4d41aeebaed40e0442f", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f" }, { "reference_url": "https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01", "reference_id": "ad83d38809df457efef21c37ce0996430334bf01", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42354", "reference_id": "CVE-2024-42354", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42354" }, { "reference_url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_id": "d35ee2eda5c995faeb08b3dad127eab65c64e2a2", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2" }, { "reference_url": "https://github.com/advisories/GHSA-hhcq-ph6w-494g", "reference_id": "GHSA-hhcq-ph6w-494g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hhcq-ph6w-494g" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g", "reference_id": "GHSA-hhcq-ph6w-494g", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32942?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/734405?format=api", "purl": "pkg:composer/shopware/core@6.6.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-6tys-6s4d-fqcm" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-sq4j-drbr-fub6" }, { "vulnerability": "VCID-stdp-p5h7-3kg3" }, { "vulnerability": "VCID-u41w-g79s-eyez" }, { "vulnerability": "VCID-ykq7-2fy3-b7e1" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32950?format=api", "purl": "pkg:composer/shopware/core@6.6.5%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1" } ], "aliases": [ "CVE-2024-42354", "GHSA-hhcq-ph6w-494g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rfa4-81mz-qqd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212310?format=api", "vulnerability_id": "VCID-sjfg-863y-c3fp", "summary": "Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-m895-2hj3-8cg9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sjfg-863y-c3fp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89802?format=api", "vulnerability_id": "VCID-sq4j-drbr-fub6", "summary": "Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74498", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74495", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74411", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74484", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151" }, { "reference_url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-30151", "GHSA-cgfj-hj93-rmh2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sq4j-drbr-fub6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90154?format=api", "vulnerability_id": "VCID-stdp-p5h7-3kg3", "summary": "Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00619", "scoring_system": "epss", "scoring_elements": "0.70601", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00619", "scoring_system": "epss", "scoring_elements": "0.70604", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74708", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74636", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150" }, { "reference_url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376236?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-30150", "GHSA-hh7j-6x3q-f52h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-stdp-p5h7-3kg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/117184?format=api", "vulnerability_id": "VCID-u41w-g79s-eyez", "summary": "Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79772", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79784", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.7979", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79707", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001" }, { "reference_url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/", "reference_id": "rt-sa-2025-001", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376236?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-27892", "GHSA-8g35-7rmw-7f59" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u41w-g79s-eyez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/114442?format=api", "vulnerability_id": "VCID-ykq7-2fy3-b7e1", "summary": "Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63782", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63668", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.6377", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63783", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378" }, { "reference_url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/793116?format=api", "purl": "pkg:composer/shopware/core@6.5.8.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-32378", "GHSA-4h9w-7vfp-px8m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ykq7-2fy3-b7e1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71472?format=api", "vulnerability_id": "VCID-zhxv-e8fu-tucd", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16072", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1605", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15931", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16084", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887", "reference_id": "CVE-2026-31887", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887" }, { "reference_url": "https://github.com/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vvp-j573-5584" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31887", "GHSA-7vvp-j573-5584" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhxv-e8fu-tucd" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.10" }