Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/shopware/shopware@5.2.23
purl pkg:composer/shopware/shopware@5.2.23
Next non-vulnerable version 5.6.9
Latest non-vulnerable version 5.7.18
Risk 3.1
Vulnerabilities affecting this package (15)
Vulnerability Summary Fixed by
VCID-14v3-bjew-3qby
Aliases:
CVE-2017-18357
GHSA-6m27-7cqj-2mxw
Externally Controlled Reference to a Resource in Another Sphere Shopware has a PHP Object Instantiation issue via the `sort` parameter to the `loadPreviewAction()` method of the `Shopware_Controllers_Backend_ProductStream` controller, with resultant XXE via instantiation of a `SimpleXMLElement` object.
5.3.4
Affected by 10 other vulnerabilities.
VCID-4han-wpdy-nfew
Aliases:
CVE-2020-13970
GHSA-5vmg-x99g-396q
Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.
6.2.3
Affected by 0 other vulnerabilities.
VCID-51d6-x2aj-xfb9
Aliases:
GHSA-28fw-88hq-6jmm
GMS-2020-599
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.
5.6.9
Affected by 0 other vulnerabilities.
VCID-6zw9-8ykf-mqb6
Aliases:
GMS-2018-77
Cross-site Scripting Non-Persistent XSS in shopware.
5.3.0
Affected by 12 other vulnerabilities.
VCID-7vfc-esw6-abht
Aliases:
GHSA-hrfh-fp4x-crrq
GMS-2020-601
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.
5.6.9
Affected by 0 other vulnerabilities.
VCID-97e5-qak3-e3fa
Aliases:
SW-20878
Non-Persistent XSS Shopware is affected by two non-persistent Cross-site Scripting (XSS) vulnerabilities in the frontend.
5.3.7
Affected by 9 other vulnerabilities.
VCID-carh-gr9g-vqfs
Aliases:
CVE-2020-13997
GHSA-r4ph-mx67-x58p
Information Exposure Through an Error Message In Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
6.2.3
Affected by 0 other vulnerabilities.
VCID-h6qp-71jr-3fef
Aliases:
CVE-2019-12799
GHSA-rf8f-hqjv-986p
Deserialization of Untrusted Data In `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.
5.6.1
Affected by 6 other vulnerabilities.
VCID-hymt-whub-abag
Aliases:
CVE-2020-13971
GHSA-fxf3-wx3c-76pf
Cross-site Scripting In Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.
6.2.3
Affected by 0 other vulnerabilities.
VCID-k6uh-wqnr-wfas
Aliases:
GHSA-6gv9-7q4g-pmvm
GMS-2020-600
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.
5.6.9
Affected by 0 other vulnerabilities.
VCID-kn8n-n4z7-v3f2
Aliases:
CVE-2017-15374
GHSA-mvrx-cmqw-2jgj
Cross-site Scripting Shopware is vulnerable to cross site scripting in the customer and order section of the content management system backend modules. Remote attackers are able to inject malicious script code into the firstname, lastname, or order input fields to provoke persistent execution in the customer and orders section of the backend.
5.3.4
Affected by 10 other vulnerabilities.
VCID-nvv7-js5y-gfbk
Aliases:
GMS-2017-135
Remote Code Execution Vulnerability Under certain circumstances, it’s possible to execute an authorized foreign code in Shopware.
5.2.25
Affected by 13 other vulnerabilities.
VCID-rqsr-zpk3-kuhm
Aliases:
CVE-2018-20713
GHSA-42gv-77f4-r3j9
Shopware allows SQL Injection by remote authenticated users.
5.4.3
Affected by 8 other vulnerabilities.
VCID-t7re-q293-zfe7
Aliases:
GMS-2017-343
Code Injection Remote Code Execution Vulnerability in shopware.
5.2.25
Affected by 13 other vulnerabilities.
VCID-xbs4-xa24-5ycg
Aliases:
CVE-2019-12935
GHSA-8qxh-hcr9-2379
Cross-site Scripting Shopware has XSS via the Query String to the `backend/Login` or `backend/Login/load/` URI.
5.5.8
Affected by 7 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:41:10.689157+00:00 GitLab Importer Affected by VCID-51d6-x2aj-xfb9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/GMS-2020-599.yml 38.6.0
2026-06-04T20:41:08.537632+00:00 GitLab Importer Affected by VCID-7vfc-esw6-abht https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/GMS-2020-601.yml 38.6.0
2026-06-04T20:41:06.303177+00:00 GitLab Importer Affected by VCID-k6uh-wqnr-wfas https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/GMS-2020-600.yml 38.6.0
2026-06-04T20:33:36.058159+00:00 GitLab Importer Affected by VCID-4han-wpdy-nfew https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2020-13970.yml 38.6.0
2026-06-04T20:33:35.448426+00:00 GitLab Importer Affected by VCID-hymt-whub-abag https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2020-13971.yml 38.6.0
2026-06-04T20:33:34.118849+00:00 GitLab Importer Affected by VCID-carh-gr9g-vqfs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2020-13997.yml 38.6.0
2026-06-04T20:22:59.152826+00:00 GitLab Importer Affected by VCID-xbs4-xa24-5ycg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2019-12935.yml 38.6.0
2026-06-04T20:22:49.516044+00:00 GitLab Importer Affected by VCID-h6qp-71jr-3fef https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2019-12799.yml 38.6.0
2026-06-04T20:18:17.329742+00:00 GitLab Importer Affected by VCID-rqsr-zpk3-kuhm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2018-20713.yml 38.6.0
2026-06-04T20:18:16.331901+00:00 GitLab Importer Affected by VCID-14v3-bjew-3qby https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2017-18357.yml 38.6.0
2026-06-04T20:10:56.803898+00:00 GitLab Importer Affected by VCID-6zw9-8ykf-mqb6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/GMS-2018-77.yml 38.6.0
2026-06-04T20:10:54.740485+00:00 GitLab Importer Affected by VCID-97e5-qak3-e3fa https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/SW-20878.yml 38.6.0
2026-06-04T20:09:41.066459+00:00 GitLab Importer Affected by VCID-kn8n-n4z7-v3f2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2017-15374.yml 38.6.0
2026-06-04T20:08:12.531486+00:00 GitLab Importer Affected by VCID-t7re-q293-zfe7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/GMS-2017-343.yml 38.6.0
2026-06-04T20:08:08.736756+00:00 GitLab Importer Affected by VCID-nvv7-js5y-gfbk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/GMS-2017-135.yml 38.6.0
2026-06-04T18:37:52.043108+00:00 GHSA Importer Affected by VCID-14v3-bjew-3qby https://github.com/advisories/GHSA-6m27-7cqj-2mxw 38.6.0