Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/841601?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/841601?format=api", "purl": "pkg:composer/shopware/core@6.7.2.0", "type": "composer", "namespace": "shopware", "name": "core", "version": "6.7.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.7.8.1", "latest_non_vulnerable_version": "6.7.8.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212311?format=api", "vulnerability_id": "VCID-43zt-wnjy-rudk", "summary": "Shopware vulnerable to path traversal via Plugin upload", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6wh5-mw9h-5c3w" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w", "reference_id": "GHSA-6wh5-mw9h-5c3w", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-6wh5-mw9h-5c3w" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-43zt-wnjy-rudk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66958?format=api", "vulnerability_id": "VCID-4nnv-aqdx-x3gr", "summary": "Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02602", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02883", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02592", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08147", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23498" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475", "reference_id": "3966b05590e29432b8485ba47b4fcd14dd0b8475", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-14T21:15:49Z/" } ], "url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23498", "reference_id": "CVE-2026-23498", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23498" }, { "reference_url": "https://github.com/advisories/GHSA-7cw6-7h3h-v8pf", "reference_id": "GHSA-7cw6-7h3h-v8pf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7cw6-7h3h-v8pf" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf", "reference_id": "GHSA-7cw6-7h3h-v8pf", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-14T21:15:49Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf" }, { "reference_url": "https://github.com/advisories/GHSA-7v2v-9rm4-7m8f", "reference_id": "GHSA-7v2v-9rm4-7m8f", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7v2v-9rm4-7m8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37751?format=api", "purl": "pkg:composer/shopware/core@6.7.6%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.6%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/923050?format=api", "purl": "pkg:composer/shopware/core@6.7.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.6.1" } ], "aliases": [ "CVE-2026-23498", "GHSA-7cw6-7h3h-v8pf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4nnv-aqdx-x3gr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212314?format=api", "vulnerability_id": "VCID-5b7t-vavj-efae", "summary": "Shopware Customer Orders can be canceled, even if refunds are disabled", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592" }, { "reference_url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2vg-hvjm-fg38" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38", "reference_id": "GHSA-r2vg-hvjm-fg38", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-r2vg-hvjm-fg38" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5b7t-vavj-efae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71295?format=api", "vulnerability_id": "VCID-637f-zxjb-8ufn", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17474", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17628", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17654", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17636", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31888" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888", "reference_id": "CVE-2026-31888", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888" }, { "reference_url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqc5-xv7m-gcjq" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq", "reference_id": "GHSA-gqc5-xv7m-gcjq", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31888", "GHSA-gqc5-xv7m-gcjq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-637f-zxjb-8ufn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360552?format=api", "vulnerability_id": "VCID-9men-n7d5-63ct", "summary": "Shopware: Reflective Cross Site-Scripting (XSS) in CMS components\n### Impact\nBy exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. \n\nSome examples of this include, but are not limited to:\n- Obtaining user session tokens.\n- Performing administrative actions (when an administrative user is affected).\n\nThese vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.\n\n#### Description\nWhen an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user's web browser. This allows malicious actors to perform malicious actions in the name of that user. XSS can be divided into three variants: Persistent XSS, Reflective XSS and DOM-based XSS. In Reflective XSS, a malicious actor injects malicious JavaScript code into a URL. Every time the user visits this URL, the JavaScript code is executed in the user’s browser.\n\n#### Applicability \nDue to a lack of input validation, the Shopware application contain XSS vulnerabilities. The JavaScript variable 'activeRouteParameters' lacks input validation, which makes it vulnerable to XSS attacks at the following endpoints:\n\n- /page/cms/*\n- /widget/cms/*\n\nThe lack of input validation enables malicious actors to inject harmful JavaScript-code into the affected pages. When a user visits the page, the code is executed within the user’s web browser. This enables malicious actors to perform (harmful) actions on behalf of the affected user. No user account is required to exploit this vulnerability.\n\n#### Reproduction\nTo reproduce this vulnerability, the steps below can be followed.\n1. Navigate to the URL below containing the XSS payload:\nhttps://pentest-saas-2025-2.shopware.store/page/cms/'+alert('REQON')+'\n2. Observe that a pop-up is shown indicating that the JavaScript code has been executed.\n\n#### Workarounds\nFor older versions of 6.7, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/12fb537c5ebe009f2a0f58b9c24dbd2d6b4c508f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/12fb537c5ebe009f2a0f58b9c24dbd2d6b4c508f" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.2.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.2.1" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-9v82-vcjx-m76j", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-9v82-vcjx-m76j" }, { "reference_url": "https://github.com/advisories/GHSA-9v82-vcjx-m76j", "reference_id": "GHSA-9v82-vcjx-m76j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9v82-vcjx-m76j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376839?format=api", "purl": "pkg:composer/shopware/core@6.7.2%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.2%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/841602?format=api", "purl": "pkg:composer/shopware/core@6.7.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-43zt-wnjy-rudk" }, { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-5b7t-vavj-efae" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-nhdh-f91b-kuex" }, { "vulnerability": "VCID-nzcj-wu6c-pfgw" }, { "vulnerability": "VCID-sjfg-863y-c3fp" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.2.1" } ], "aliases": [ "GHSA-9v82-vcjx-m76j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9men-n7d5-63ct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212350?format=api", "vulnerability_id": "VCID-a8xu-y9nr-9uag", "summary": "Shopware 6's password recovery link does not expire after email change", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13" }, { "reference_url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.9" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.0.0" }, { "reference_url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/releases/tag/v6.7.4.1" }, { "reference_url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2w46-vq8h-98vh" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh", "reference_id": "GHSA-2w46-vq8h-98vh", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35236?format=api", "purl": "pkg:composer/shopware/core@6.7.4%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/879129?format=api", "purl": "pkg:composer/shopware/core@6.7.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1" } ], "aliases": [ "GHSA-2w46-vq8h-98vh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a8xu-y9nr-9uag" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71464?format=api", "vulnerability_id": "VCID-dqba-4hk6-eud2", "summary": "Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26177", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26375", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2639", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26378", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31889" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889", "reference_id": "CVE-2026-31889", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889" }, { "reference_url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4p7-rwrg-pf6p" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p", "reference_id": "GHSA-c4p7-rwrg-pf6p", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31889", "GHSA-c4p7-rwrg-pf6p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dqba-4hk6-eud2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212313?format=api", "vulnerability_id": "VCID-nhdh-f91b-kuex", "summary": "Shopware exposes sensitive user information via CSV export mapping", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083" }, { "reference_url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-27c9-vp3w-6ww8" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8", "reference_id": "GHSA-27c9-vp3w-6ww8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-27c9-vp3w-6ww8" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhdh-f91b-kuex" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212312?format=api", "vulnerability_id": "VCID-nzcj-wu6c-pfgw", "summary": "Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4" }, { "reference_url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cpp-fv95-mpr5" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5", "reference_id": "GHSA-3cpp-fv95-mpr5", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-3cpp-fv95-mpr5" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcj-wu6c-pfgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212310?format=api", "vulnerability_id": "VCID-sjfg-863y-c3fp", "summary": "Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually", "references": [ { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be" }, { "reference_url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m895-2hj3-8cg9" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9", "reference_id": "GHSA-m895-2hj3-8cg9", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34680?format=api", "purl": "pkg:composer/shopware/core@6.7.3%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/873688?format=api", "purl": "pkg:composer/shopware/core@6.7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4nnv-aqdx-x3gr" }, { "vulnerability": "VCID-637f-zxjb-8ufn" }, { "vulnerability": "VCID-a8xu-y9nr-9uag" }, { "vulnerability": "VCID-dqba-4hk6-eud2" }, { "vulnerability": "VCID-zhxv-e8fu-tucd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1" } ], "aliases": [ "GHSA-m895-2hj3-8cg9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sjfg-863y-c3fp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71472?format=api", "vulnerability_id": "VCID-zhxv-e8fu-tucd", "summary": "Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16072", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.1605", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15931", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16084", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31887" }, { "reference_url": "https://github.com/shopware/shopware", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/shopware/shopware" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887", "reference_id": "CVE-2026-31887", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887" }, { "reference_url": "https://github.com/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vvp-j573-5584" }, { "reference_url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584", "reference_id": "GHSA-7vvp-j573-5584", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/" } ], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40703?format=api", "purl": "pkg:composer/shopware/core@6.7.8%2B1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1" }, { "url": "http://public2.vulnerablecode.io/api/packages/962823?format=api", "purl": "pkg:composer/shopware/core@6.7.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1" } ], "aliases": [ "CVE-2026-31887", "GHSA-7vvp-j573-5584" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zhxv-e8fu-tucd" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.2.0" }