Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/792801?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/792801?format=api", "purl": "pkg:composer/shopware/core@6.5.8.13", "type": "composer", "namespace": "shopware", "name": "core", "version": "6.5.8.13", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.6.10.15", "latest_non_vulnerable_version": "6.7.8.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212311?format=api", "vulnerability_id": "VCID-43zt-wnjy-rudk", "summary": "Shopware vulnerable to path traversal via Plugin upload", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-6wh5-mw9h-5c3w" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-43zt-wnjy-rudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212314?format=api", "vulnerability_id": "VCID-5b7t-vavj-efae", "summary": "Shopware Customer Orders can be canceled, even if refunds are disabled", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592" }, { "reference_url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-r2vg-hvjm-fg38" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5b7t-vavj-efae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71295?format=api", "vulnerability_id": "VCID-637f-zxjb-8ufn", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17474", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17628", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17654", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17636", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888", "reference_id": "CVE-2026-31888", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888" }, { "reference_url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31888", "GHSA-gqc5-xv7m-gcjq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-637f-zxjb-8ufn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360508?format=api", "vulnerability_id": "VCID-6tys-6s4d-fqcm", "summary": "Shopware Broken ACL on Document retrieval to access other customers documents\n### Impact\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q" }, { "reference_url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q", "reference_id": "GHSA-68wv-g3fw-pq7q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68wv-g3fw-pq7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "GHSA-68wv-g3fw-pq7q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6tys-6s4d-fqcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212350?format=api", "vulnerability_id": "VCID-a8xu-y9nr-9uag", "summary": "Shopware 6's password recovery link does not expire after email change", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13" }, { "reference_url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1" }, { "reference_url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35232?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B9" }, { "url": "http://public2.vulnerablecode.io/api/packages/879127?format=api", "purl": "pkg:composer/shopware/core@6.6.10.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/35236?format=api", "purl": "pkg:composer/shopware/core@6.7.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/879129?format=api", "purl": "pkg:composer/shopware/core@6.7.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1" } ], "aliases": [ "GHSA-2w46-vq8h-98vh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8xu-y9nr-9uag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71464?format=api", "vulnerability_id": "VCID-dqba-4hk6-eud2", "summary": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26177", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26375", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2639", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26378", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889", "reference_id": "CVE-2026-31889", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889" }, { "reference_url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31889", "GHSA-c4p7-rwrg-pf6p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqba-4hk6-eud2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212313?format=api", "vulnerability_id": "VCID-nhdh-f91b-kuex", "summary": "Shopware exposes sensitive user information via CSV export mapping", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083" }, { "reference_url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-27c9-vp3w-6ww8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhdh-f91b-kuex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212312?format=api", "vulnerability_id": "VCID-nzcj-wu6c-pfgw", "summary": "Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4" }, { "reference_url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-3cpp-fv95-mpr5" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcj-wu6c-pfgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212310?format=api", "vulnerability_id": "VCID-sjfg-863y-c3fp", "summary": "Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34676?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7" }, { "url": "http://public2.vulnerablecode.io/api/packages/873685?format=api", "purl": "pkg:composer/shopware/core@6.6.10.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-a8xu-y9nr-9uag" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-m895-2hj3-8cg9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sjfg-863y-c3fp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89802?format=api", "vulnerability_id": "VCID-sq4j-drbr-fub6", "summary": "Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74498", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74495", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74411", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74484", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30151" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30151" }, { "reference_url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgfj-hj93-rmh2" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2", "reference_id": "GHSA-cgfj-hj93-rmh2", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-30151", "GHSA-cgfj-hj93-rmh2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sq4j-drbr-fub6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90154?format=api", "vulnerability_id": "VCID-stdp-p5h7-3kg3", "summary": "Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00619", "scoring_system": "epss", "scoring_elements": "0.70601", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00619", "scoring_system": "epss", "scoring_elements": "0.70604", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74708", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00808", "scoring_system": "epss", "scoring_elements": "0.74636", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-30150" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30150" }, { "reference_url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hh7j-6x3q-f52h" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h", "reference_id": "GHSA-hh7j-6x3q-f52h", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376236?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-30150", "GHSA-hh7j-6x3q-f52h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-stdp-p5h7-3kg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/117184?format=api", "vulnerability_id": "VCID-u41w-g79s-eyez", "summary": "Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79772", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79784", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.7979", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01246", "scoring_system": "epss", "scoring_elements": "0.79707", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27892" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.5.8.17" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.3" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27892" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001" }, { "reference_url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59", "reference_id": "GHSA-8g35-7rmw-7f59", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59" }, { "reference_url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/", "reference_id": "rt-sa-2025-001", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/" } ], "url": "https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376236?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18" }, { "url": "http://public2.vulnerablecode.io/api/packages/706583?format=api", "purl": "pkg:composer/shopware/core@6.5.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-s7y9-5z3z-syec" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-27892", "GHSA-8g35-7rmw-7f59" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u41w-g79s-eyez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/114442?format=api", "vulnerability_id": "VCID-ykq7-2fy3-b7e1", "summary": "Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63782", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63668", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.6377", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00441", "scoring_system": "epss", "scoring_elements": "0.63783", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32378" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32378" }, { "reference_url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4h9w-7vfp-px8m" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m", "reference_id": "GHSA-4h9w-7vfp-px8m", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376414?format=api", "purl": "pkg:composer/shopware/core@6.5.8%2B17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-stdp-p5h7-3kg3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17" }, { "url": "http://public2.vulnerablecode.io/api/packages/793116?format=api", "purl": "pkg:composer/shopware/core@6.5.8.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/792816?format=api", "purl": "pkg:composer/shopware/core@6.6.10.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376234?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3" }, { "url": "http://public2.vulnerablecode.io/api/packages/376231?format=api", "purl": "pkg:composer/shopware/core@6.7.0%2B0-rc2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2" }, { "url": "http://public2.vulnerablecode.io/api/packages/792818?format=api", "purl": "pkg:composer/shopware/core@6.7.0.0-rc2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-9men-n7d5-63ct" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2" } ], "aliases": [ "CVE-2025-32378", "GHSA-4h9w-7vfp-px8m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ykq7-2fy3-b7e1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71472?format=api", "vulnerability_id": "VCID-zhxv-e8fu-tucd", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16072", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1605", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15931", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16084", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887", "reference_id": "CVE-2026-31887", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887" }, { "reference_url": "https://github.com/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vvp-j573-5584" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40705?format=api", "purl": "pkg:composer/shopware/core@6.6.10%2B15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15" }, { "url": "http://public2.vulnerablecode.io/api/packages/962818?format=api", "purl": "pkg:composer/shopware/core@6.6.10.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31887", "GHSA-7vvp-j573-5584" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhxv-e8fu-tucd" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.13" }