Search for packages
| purl | pkg:composer/shopware/shopware@5.4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6cb3-b3qq-juap
Aliases: CVE-2019-12799 GHSA-rf8f-hqjv-986p |
Deserialization of Untrusted Data In `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. |
Affected by 0 other vulnerabilities. |
|
VCID-c3rs-ndfu-c3bq
Aliases: CVE-2019-12935 GHSA-8qxh-hcr9-2379 |
Cross-site Scripting Shopware has XSS via the Query String to the `backend/Login` or `backend/Login/load/` URI. |
Affected by 1 other vulnerability. |
|
VCID-vzv3-795x-gfhd
Aliases: CVE-2018-20713 GHSA-42gv-77f4-r3j9 |
Shopware allows SQL Injection by remote authenticated users. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-31T09:57:38.671595+00:00 | GitLab Importer | Affected by | VCID-c3rs-ndfu-c3bq | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2019-12935.yml | 38.6.0 |
| 2026-05-31T09:57:29.468040+00:00 | GitLab Importer | Affected by | VCID-6cb3-b3qq-juap | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2019-12799.yml | 38.6.0 |
| 2026-05-31T09:53:03.684917+00:00 | GitLab Importer | Affected by | VCID-vzv3-795x-gfhd | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/shopware/shopware/CVE-2018-20713.yml | 38.6.0 |