VulnerableCode Package Details - pkg:composer/shopware/core@6.7.3%2B1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3p2z-hcws-z3b4	Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.	GHSA-3cpp-fv95-mpr5
VCID-45c8-9fte-y7fm	Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled.	GHSA-r2vg-hvjm-fg38
VCID-5tjh-39gd-g3ar	Shopware exposes sensitive user information via CSV export mapping Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.	GHSA-27c9-vp3w-6ww8
VCID-b9t6-7zka-gfgd	Shopware vulnerable to path traversal via Plugin upload A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.	GHSA-6wh5-mw9h-5c3w
VCID-pj2t-p678-3yft	Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.	GHSA-m895-2hj3-8cg9

Vulnerability

Summary

Aliases

VCID-3p2z-hcws-z3b4

Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.

GHSA-3cpp-fv95-mpr5

VCID-45c8-9fte-y7fm

Shopware Customer Orders can be canceled, even if refunds are disabled Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller): https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php To mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled.

GHSA-r2vg-hvjm-fg38

VCID-5tjh-39gd-g3ar

Shopware exposes sensitive user information via CSV export mapping Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including: • Data regarding other users, such as usernames and/or e-mail addresses • Sensitive commercial data such as customer names • Technical details about the website and/or the underlying infrastructure Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.

GHSA-27c9-vp3w-6ww8

VCID-b9t6-7zka-gfgd

Shopware vulnerable to path traversal via Plugin upload A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.

GHSA-6wh5-mw9h-5c3w

VCID-pj2t-p678-3yft

Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.

GHSA-m895-2hj3-8cg9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T01:05:41.555082+00:00	GHSA Importer	Fixing	VCID-45c8-9fte-y7fm	https://github.com/advisories/GHSA-r2vg-hvjm-fg38	38.6.0
2026-05-31T01:05:41.368058+00:00	GHSA Importer	Fixing	VCID-5tjh-39gd-g3ar	https://github.com/advisories/GHSA-27c9-vp3w-6ww8	38.6.0
2026-05-31T01:05:41.172151+00:00	GHSA Importer	Fixing	VCID-3p2z-hcws-z3b4	https://github.com/advisories/GHSA-3cpp-fv95-mpr5	38.6.0
2026-05-31T01:05:41.011782+00:00	GHSA Importer	Fixing	VCID-b9t6-7zka-gfgd	https://github.com/advisories/GHSA-6wh5-mw9h-5c3w	38.6.0
2026-05-31T01:05:40.932920+00:00	GHSA Importer	Fixing	VCID-pj2t-p678-3yft	https://github.com/advisories/GHSA-m895-2hj3-8cg9	38.6.0
2026-05-30T21:04:30.157503+00:00	GitLab Importer	Fixing	VCID-3p2z-hcws-z3b4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/core/GHSA-3cpp-fv95-mpr5.yml	38.6.0
2026-05-30T21:04:30.112056+00:00	GitLab Importer	Fixing	VCID-pj2t-p678-3yft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/core/GHSA-m895-2hj3-8cg9.yml	38.6.0
2026-05-30T21:04:29.921297+00:00	GitLab Importer	Fixing	VCID-45c8-9fte-y7fm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/core/GHSA-r2vg-hvjm-fg38.yml	38.6.0
2026-05-30T21:04:29.869975+00:00	GitLab Importer	Fixing	VCID-b9t6-7zka-gfgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/core/GHSA-6wh5-mw9h-5c3w.yml	38.6.0
2026-05-30T21:04:29.712027+00:00	GitLab Importer	Fixing	VCID-5tjh-39gd-g3ar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/core/GHSA-27c9-vp3w-6ww8.yml	38.6.0