{"url":"http://public2.vulnerablecode.io/api/packages/237987?format=json","purl":"pkg:composer/shopware/shopware@5.5.6","type":"composer","namespace":"shopware","name":"shopware","version":"5.5.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.7.18","latest_non_vulnerable_version":"5.7.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54671?format=json","vulnerability_id":"VCID-1nfq-1dnh-x3hj","summary":"Information Exposure\nShopware is an open source eCommerce platform.Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32711","reference_id":"","reference_type":"","scores":[{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60093","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60131","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60113","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.6013","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60143","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.6014","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32711"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351"},{"reference_url":"https://github.com/shopware/platform/commit/157fb84a8b3b4ace4be165a033d559826704829b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/157fb84a8b3b4ace4be165a033d559826704829b"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr"},{"reference_url":"https://packagist.org/packages/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32711","reference_id":"CVE-2021-32711","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32711"},{"reference_url":"https://github.com/advisories/GHSA-2p89-5f22-8qvf","reference_id":"GHSA-2p89-5f22-8qvf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p89-5f22-8qvf"},{"reference_url":"https://github.com/advisories/GHSA-f2vv-h5x4-57gr","reference_id":"GHSA-f2vv-h5x4-57gr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2vv-h5x4-57gr"}],"fixed_packages":[],"aliases":["CVE-2021-32711","GHSA-2p89-5f22-8qvf","GHSA-f2vv-h5x4-57gr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1nfq-1dnh-x3hj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109059?format=json","vulnerability_id":"VCID-3pj6-heu7-hyf4","summary":"Shopware contains sensitive data in backend customer module\n### Impact\nThe request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID.\n\n### Patches\nWe recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-15\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36101","reference_id":"","reference_type":"","scores":[{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64733","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64686","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64727","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64736","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64725","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00465","scoring_system":"epss","scoring_elements":"0.64714","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36101"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/af5cdbc81d60f21b728e1433aeb8837f25938d2a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://github.com/shopware/shopware/commit/af5cdbc81d60f21b728e1433aeb8837f25938d2a"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6vfq-jmxg-g58r","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6vfq-jmxg-g58r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36101","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36101"},{"reference_url":"https://packagist.org/packages/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:02Z/"}],"url":"https://packagist.org/packages/shopware/shopware"},{"reference_url":"https://github.com/advisories/GHSA-6vfq-jmxg-g58r","reference_id":"GHSA-6vfq-jmxg-g58r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6vfq-jmxg-g58r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145627?format=json","purl":"pkg:composer/shopware/shopware@5.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.15"}],"aliases":["CVE-2022-36101","GHSA-6vfq-jmxg-g58r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3pj6-heu7-hyf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54665?format=json","vulnerability_id":"VCID-4fkz-vqwt-c3f4","summary":"Missing Authentication for Critical Function\nShopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions of, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32709","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39947","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39994","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39977","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40004","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40032","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40029","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32709"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32"},{"reference_url":"https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659"},{"reference_url":"https://www.shopware.com/en/changelog/#6-4-1-1","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-4-1-1"},{"reference_url":"https://www.shopware.com/en/download/#shopware-6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/download/#shopware-6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32709","reference_id":"CVE-2021-32709","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32709"},{"reference_url":"https://github.com/advisories/GHSA-g7w8-pp9w-7p32","reference_id":"GHSA-g7w8-pp9w-7p32","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7w8-pp9w-7p32"},{"reference_url":"https://github.com/advisories/GHSA-p696-gf58-9w97","reference_id":"GHSA-p696-gf58-9w97","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p696-gf58-9w97"}],"fixed_packages":[],"aliases":["CVE-2021-32709","GHSA-g7w8-pp9w-7p32","GHSA-p696-gf58-9w97"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4fkz-vqwt-c3f4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52841?format=json","vulnerability_id":"VCID-4han-wpdy-nfew","summary":"Shopware is vulnerable to a Server-Side Request Forgery (SSRF) in its \"Mediabrowser upload by URL\" feature. This allows an authenticated user to send HTTP, HTTPS, FTP, and SFTP requests on behalf of the Shopware platform server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13970","reference_id":"","reference_type":"","scores":[{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61341","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61337","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61335","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61348","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61293","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00404","scoring_system":"epss","scoring_elements":"0.61317","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13970"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://www.shopware.com/en/changelog/#6-2-3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-2-3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13970","reference_id":"CVE-2020-13970","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13970"},{"reference_url":"https://github.com/advisories/GHSA-5vmg-x99g-396q","reference_id":"GHSA-5vmg-x99g-396q","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vmg-x99g-396q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77748?format=json","purl":"pkg:composer/shopware/shopware@6.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@6.2.3"}],"aliases":["CVE-2020-13970","GHSA-5vmg-x99g-396q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4han-wpdy-nfew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53794?format=json","vulnerability_id":"VCID-51d6-x2aj-xfb9","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.","references":[{"reference_url":"https://github.com/advisories/GHSA-28fw-88hq-6jmm","reference_id":"GHSA-28fw-88hq-6jmm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-28fw-88hq-6jmm"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-28fw-88hq-6jmm","reference_id":"GHSA-28fw-88hq-6jmm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-28fw-88hq-6jmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79127?format=json","purl":"pkg:composer/shopware/shopware@5.6.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-j2bm-eex6-2ycw"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-xbth-4me7-7kdh"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"},{"vulnerability":"VCID-zk56-4v2w-cbb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.9"}],"aliases":["GHSA-28fw-88hq-6jmm","GMS-2020-599"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-51d6-x2aj-xfb9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53793?format=json","vulnerability_id":"VCID-7vfc-esw6-abht","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.","references":[{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020"},{"reference_url":"https://github.com/advisories/GHSA-hrfh-fp4x-crrq","reference_id":"GHSA-hrfh-fp4x-crrq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hrfh-fp4x-crrq"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hrfh-fp4x-crrq","reference_id":"GHSA-hrfh-fp4x-crrq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hrfh-fp4x-crrq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79127?format=json","purl":"pkg:composer/shopware/shopware@5.6.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-j2bm-eex6-2ycw"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-xbth-4me7-7kdh"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"},{"vulnerability":"VCID-zk56-4v2w-cbb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.9"}],"aliases":["GHSA-hrfh-fp4x-crrq","GMS-2020-601"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7vfc-esw6-abht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43025?format=json","vulnerability_id":"VCID-94q5-7zhe-7yft","summary":"Weak Password Recovery Mechanism for Forgotten Password\nShopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for password reset can be requested. All tokens can be used to change the password. This makes it possible for an attacker to take over the victim's account if they somehow gain access to the victims email account and find an unused password reset token in the emails. This issue is fixed in version 5.7.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24892","reference_id":"","reference_type":"","scores":[{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52164","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52125","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52185","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52193","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52173","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00285","scoring_system":"epss","scoring_elements":"0.52143","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24892"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:53:43Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-9","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:53:43Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24892","reference_id":"CVE-2022-24892","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24892"},{"reference_url":"https://github.com/advisories/GHSA-3qrq-r688-vvh4","reference_id":"GHSA-3qrq-r688-vvh4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qrq-r688-vvh4"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4","reference_id":"GHSA-3qrq-r688-vvh4","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:53:43Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3qrq-r688-vvh4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61580?format=json","purl":"pkg:composer/shopware/shopware@5.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4t79-5g29-8kc1"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9"}],"aliases":["CVE-2022-24892","GHSA-3qrq-r688-vvh4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94q5-7zhe-7yft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42604?format=json","vulnerability_id":"VCID-bzfr-72q4-vfbh","summary":"Insufficient Session Expiration\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24744","reference_id":"","reference_type":"","scores":[{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36595","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36569","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36559","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36529","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36632","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36624","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24744"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates"},{"reference_url":"https://github.com/shopware/core/commit/324cd1b57db58481df1b1d0030ffc307e2d9fe64","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/core/commit/324cd1b57db58481df1b1d0030ffc307e2d9fe64"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/47b4b094c13f62db860be2f431138bb45c0bd0b6","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/47b4b094c13f62db860be2f431138bb45c0bd0b6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24744","reference_id":"CVE-2022-24744","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24744"},{"reference_url":"https://github.com/advisories/GHSA-w267-m9c4-8555","reference_id":"GHSA-w267-m9c4-8555","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w267-m9c4-8555"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555","reference_id":"GHSA-w267-m9c4-8555","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:14Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555"}],"fixed_packages":[],"aliases":["CVE-2022-24744","GHSA-w267-m9c4-8555"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzfr-72q4-vfbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52838?format=json","vulnerability_id":"VCID-carh-gr9g-vqfs","summary":"Information Exposure Through an Error Message\nIn Shopware, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13997","reference_id":"","reference_type":"","scores":[{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75109","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75114","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75087","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75101","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75076","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0084","scoring_system":"epss","scoring_elements":"0.75105","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13997"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://www.shopware.com/en/changelog/#6-2-3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-2-3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13997","reference_id":"CVE-2020-13997","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13997"},{"reference_url":"https://github.com/advisories/GHSA-r4ph-mx67-x58p","reference_id":"GHSA-r4ph-mx67-x58p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r4ph-mx67-x58p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77748?format=json","purl":"pkg:composer/shopware/shopware@6.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@6.2.3"}],"aliases":["CVE-2020-13997","GHSA-r4ph-mx67-x58p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-carh-gr9g-vqfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41094?format=json","vulnerability_id":"VCID-h6qp-71jr-3fef","summary":"Deserialization of Untrusted Data\nIn `createInstanceFromNamedArguments` in Shopware, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12799","reference_id":"","reference_type":"","scores":[{"value":"0.24236","scoring_system":"epss","scoring_elements":"0.9619","published_at":"2026-06-04T12:55:00Z"},{"value":"0.24236","scoring_system":"epss","scoring_elements":"0.96204","published_at":"2026-06-09T12:55:00Z"},{"value":"0.24236","scoring_system":"epss","scoring_elements":"0.96198","published_at":"2026-06-08T12:55:00Z"},{"value":"0.24236","scoring_system":"epss","scoring_elements":"0.96196","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12799"},{"reference_url":"https://github.com/advisories/GHSA-6m27-7cqj-2mxw","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6m27-7cqj-2mxw"},{"reference_url":"https://github.com/rapid7/metasploit-framework/pull/11828","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rapid7/metasploit-framework/pull/11828"},{"reference_url":"https://github.com/shopware5/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware"},{"reference_url":"https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe"},{"reference_url":"https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/","reference_id":"","reference_type":"","scores":[],"url":"https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12799","reference_id":"CVE-2019-12799","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12799"},{"reference_url":"https://github.com/advisories/GHSA-rf8f-hqjv-986p","reference_id":"GHSA-rf8f-hqjv-986p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf8f-hqjv-986p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58228?format=json","purl":"pkg:composer/shopware/shopware@5.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4han-wpdy-nfew"},{"vulnerability":"VCID-51d6-x2aj-xfb9"},{"vulnerability":"VCID-7vfc-esw6-abht"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-carh-gr9g-vqfs"},{"vulnerability":"VCID-hymt-whub-abag"},{"vulnerability":"VCID-j2bm-eex6-2ycw"},{"vulnerability":"VCID-k6uh-wqnr-wfas"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-xbth-4me7-7kdh"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"},{"vulnerability":"VCID-zk56-4v2w-cbb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.1"}],"aliases":["CVE-2019-12799","GHSA-rf8f-hqjv-986p"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h6qp-71jr-3fef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52840?format=json","vulnerability_id":"VCID-hymt-whub-abag","summary":"Cross-site Scripting\nIn Shopware, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containing JavaScript. This leads to Persistent XSS. An uploaded image can be accessed without authentication.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13971","reference_id":"","reference_type":"","scores":[{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54275","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54263","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54241","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54264","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.5421","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54266","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13971"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://www.shopware.com/en/changelog/#6-2-3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-2-3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13971","reference_id":"CVE-2020-13971","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13971"},{"reference_url":"https://github.com/advisories/GHSA-fxf3-wx3c-76pf","reference_id":"GHSA-fxf3-wx3c-76pf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxf3-wx3c-76pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77748?format=json","purl":"pkg:composer/shopware/shopware@6.2.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@6.2.3"}],"aliases":["CVE-2020-13971","GHSA-fxf3-wx3c-76pf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hymt-whub-abag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54321?format=json","vulnerability_id":"VCID-j2bm-eex6-2ycw","summary":"Exposure of .env if project root is configured as web root in shopware/production\nThe .env and other sensitive files can be leaked if the project root and not `/public` is configured as the web root.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/advisories/GHSA-3pcr-4982-548m","reference_id":"GHSA-3pcr-4982-548m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pcr-4982-548m"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-3pcr-4982-548m","reference_id":"GHSA-3pcr-4982-548m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-3pcr-4982-548m"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3pcr-4982-548m","reference_id":"GHSA-3pcr-4982-548m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3pcr-4982-548m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1175092?format=json","purl":"pkg:composer/shopware/shopware@6.3.5%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@6.3.5%252B3"}],"aliases":["GHSA-3pcr-4982-548m","GMS-2021-56"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j2bm-eex6-2ycw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53791?format=json","vulnerability_id":"VCID-k6uh-wqnr-wfas","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in shopware/shopware.","references":[{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-11-2020"},{"reference_url":"https://github.com/advisories/GHSA-6gv9-7q4g-pmvm","reference_id":"GHSA-6gv9-7q4g-pmvm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6gv9-7q4g-pmvm"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6gv9-7q4g-pmvm","reference_id":"GHSA-6gv9-7q4g-pmvm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6gv9-7q4g-pmvm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79127?format=json","purl":"pkg:composer/shopware/shopware@5.6.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-j2bm-eex6-2ycw"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-xbth-4me7-7kdh"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"},{"vulnerability":"VCID-zk56-4v2w-cbb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.9"}],"aliases":["GHSA-6gv9-7q4g-pmvm","GMS-2020-600"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k6uh-wqnr-wfas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42938?format=json","vulnerability_id":"VCID-mnvh-4mq4-hkeh","summary":"Incorrect Permission Assignment for Critical Resource\nShopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24872","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40492","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.4053","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40546","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40574","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40571","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40516","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24872"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24872","reference_id":"CVE-2022-24872","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24872"},{"reference_url":"https://github.com/advisories/GHSA-9wrv-g75h-8ccc","reference_id":"GHSA-9wrv-g75h-8ccc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wrv-g75h-8ccc"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc","reference_id":"GHSA-9wrv-g75h-8ccc","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc"}],"fixed_packages":[],"aliases":["CVE-2022-24872","GHSA-9wrv-g75h-8ccc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mnvh-4mq4-hkeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43026?format=json","vulnerability_id":"VCID-mx8y-gwwk-wqfs","summary":"Cross-Site Request Forgery (CSRF)\nShopware is an open source e-commerce software platform. Versions prior to 5.7.9 is vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24879","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33164","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33098","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.332","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33214","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33176","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33144","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24879"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24879","reference_id":"CVE-2022-24879","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24879"},{"reference_url":"https://github.com/advisories/GHSA-pf38-v6qj-j23h","reference_id":"GHSA-pf38-v6qj-j23h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pf38-v6qj-j23h"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h","reference_id":"GHSA-pf38-v6qj-j23h","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:55:11Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-pf38-v6qj-j23h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61580?format=json","purl":"pkg:composer/shopware/shopware@5.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4t79-5g29-8kc1"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9"}],"aliases":["CVE-2022-24879","GHSA-pf38-v6qj-j23h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mx8y-gwwk-wqfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43030?format=json","vulnerability_id":"VCID-n3h2-b79h-ukfh","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nShopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site scripting in the storefront. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24873","reference_id":"","reference_type":"","scores":[{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60929","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60885","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60933","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60941","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.6093","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60912","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24873"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:52Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-9","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:52Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24873","reference_id":"CVE-2022-24873","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24873"},{"reference_url":"https://github.com/advisories/GHSA-4g29-fccr-p59w","reference_id":"GHSA-4g29-fccr-p59w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4g29-fccr-p59w"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w","reference_id":"GHSA-4g29-fccr-p59w","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:52Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4g29-fccr-p59w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61580?format=json","purl":"pkg:composer/shopware/shopware@5.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4t79-5g29-8kc1"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.9"}],"aliases":["CVE-2022-24873","GHSA-4g29-fccr-p59w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n3h2-b79h-ukfh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110588?format=json","vulnerability_id":"VCID-rm5m-1su9-m3f4","summary":"Authenticated Stored Cross-site Scripting in Shopware\n### Impact\nAuthenticated Stored XSS in Administration\n\n### Patches\nWe recommend updating to version 5.7.12. You can get the update to 5.7.12 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/de/changelog-sw5/#5-7-12\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31057","reference_id":"","reference_type":"","scores":[{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61622","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61576","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61624","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61631","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.6162","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00409","scoring_system":"epss","scoring_elements":"0.61603","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31057"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:38Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022?_ga=2.237805696.1286760707.1655914110-2145019146.1655914110","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2022?_ga=2.237805696.1286760707.1655914110-2145019146.1655914110"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/3e025a0a3e123f4108082645b1ced6fb548f7b6f","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:38Z/"}],"url":"https://github.com/shopware/shopware/commit/3e025a0a3e123f4108082645b1ced6fb548f7b6f"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-q754-vwc4-p6qj","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:38Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-q754-vwc4-p6qj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31057","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31057"},{"reference_url":"https://packagist.org/packages/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:04:38Z/"}],"url":"https://packagist.org/packages/shopware/shopware"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-12","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-12"},{"reference_url":"https://github.com/advisories/GHSA-q754-vwc4-p6qj","reference_id":"GHSA-q754-vwc4-p6qj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q754-vwc4-p6qj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/149306?format=json","purl":"pkg:composer/shopware/shopware@5.7.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4t79-5g29-8kc1"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.12"}],"aliases":["CVE-2022-31057","GHSA-q754-vwc4-p6qj","GMS-2022-2547"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rm5m-1su9-m3f4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41638?format=json","vulnerability_id":"VCID-t46e-anzc-zfde","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nShopware is open source e-commerce software. contain a cross-site scripting vulnerability. This issue is patched Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41188","reference_id":"","reference_type":"","scores":[{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.66842","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.66877","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.66859","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.66874","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.6689","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00512","scoring_system":"epss","scoring_elements":"0.66882","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41188"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/sicherheitsupdates/security-update-10-2021"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/37213e91d525c95df262712cba80d1497e395a58"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v5.7.6","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v5.7.6"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4p3x-8qw9-24w9"},{"reference_url":"https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41188","reference_id":"CVE-2021-41188","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41188"},{"reference_url":"https://github.com/advisories/GHSA-4p3x-8qw9-24w9","reference_id":"GHSA-4p3x-8qw9-24w9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4p3x-8qw9-24w9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59404?format=json","purl":"pkg:composer/shopware/shopware@5.7.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4t79-5g29-8kc1"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-ry3e-89gv-nuaw"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.6"}],"aliases":["CVE-2021-41188","GHSA-4p3x-8qw9-24w9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t46e-anzc-zfde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42939?format=json","vulnerability_id":"VCID-wus7-qmwk-3ygs","summary":"Server-Side Request Forgery (SSRF) in Shopware\nShopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24871","reference_id":"","reference_type":"","scores":[{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57587","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57644","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57626","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57639","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57648","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.5764","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24871"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24871","reference_id":"CVE-2022-24871","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24871"},{"reference_url":"https://github.com/advisories/GHSA-7gm7-8q8v-9gf2","reference_id":"GHSA-7gm7-8q8v-9gf2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gm7-8q8v-9gf2"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2","reference_id":"GHSA-7gm7-8q8v-9gf2","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61434?format=json","purl":"pkg:composer/shopware/shopware@6.4.10%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@6.4.10%252B1"}],"aliases":["CVE-2022-24871","GHSA-7gm7-8q8v-9gf2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wus7-qmwk-3ygs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41116?format=json","vulnerability_id":"VCID-xbs4-xa24-5ycg","summary":"Cross-site Scripting\nShopware has XSS via the Query String to the `backend/Login` or `backend/Login/load/` URI.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12935","reference_id":"","reference_type":"","scores":[{"value":"0.0358","scoring_system":"epss","scoring_elements":"0.8799","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0358","scoring_system":"epss","scoring_elements":"0.87977","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0358","scoring_system":"epss","scoring_elements":"0.87976","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0358","scoring_system":"epss","scoring_elements":"0.87972","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0358","scoring_system":"epss","scoring_elements":"0.87951","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12935"},{"reference_url":"http://seclists.org/fulldisclosure/2019/Jun/32","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2019/Jun/32"},{"reference_url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware"},{"reference_url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/","reference_id":"","reference_type":"","scores":[],"url":"https://www.netsparker.com/web-applications-advisories/ns-19-004-cross-site-scripting-in-shopware/"},{"reference_url":"https://www.shopware.com/en/changelog/#5-5-8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#5-5-8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12935","reference_id":"CVE-2019-12935","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12935"},{"reference_url":"https://github.com/advisories/GHSA-8qxh-hcr9-2379","reference_id":"GHSA-8qxh-hcr9-2379","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qxh-hcr9-2379"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58249?format=json","purl":"pkg:composer/shopware/shopware@5.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4han-wpdy-nfew"},{"vulnerability":"VCID-51d6-x2aj-xfb9"},{"vulnerability":"VCID-7vfc-esw6-abht"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-carh-gr9g-vqfs"},{"vulnerability":"VCID-h6qp-71jr-3fef"},{"vulnerability":"VCID-hymt-whub-abag"},{"vulnerability":"VCID-j2bm-eex6-2ycw"},{"vulnerability":"VCID-k6uh-wqnr-wfas"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-xbth-4me7-7kdh"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"},{"vulnerability":"VCID-zk56-4v2w-cbb6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.5.8"}],"aliases":["CVE-2019-12935","GHSA-8qxh-hcr9-2379"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xbs4-xa24-5ycg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54666?format=json","vulnerability_id":"VCID-xbth-4me7-7kdh","summary":"Cross-site Scripting\nShopware suffers from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the You can get the update to regularly via the Auto-Updater or directly via the download overview.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32713","reference_id":"","reference_type":"","scores":[{"value":"0.0039","scoring_system":"epss","scoring_elements":"0.60418","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0039","scoring_system":"epss","scoring_elements":"0.60381","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0039","scoring_system":"epss","scoring_elements":"0.60428","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0039","scoring_system":"epss","scoring_elements":"0.60431","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0039","scoring_system":"epss","scoring_elements":"0.6042","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0039","scoring_system":"epss","scoring_elements":"0.60403","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32713"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021"},{"reference_url":"https://github.com/shopware/shopware/commit/a0850ffbc6f581a8eb8425cc2bf77a0715e21e12","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/a0850ffbc6f581a8eb8425cc2bf77a0715e21e12"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-f6p7-8xfw-fjqq","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-f6p7-8xfw-fjqq"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32713","reference_id":"CVE-2021-32713","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32713"},{"reference_url":"https://github.com/advisories/GHSA-7vmw-7x57-q6jw","reference_id":"GHSA-7vmw-7x57-q6jw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vmw-7x57-q6jw"},{"reference_url":"https://github.com/advisories/GHSA-f6p7-8xfw-fjqq","reference_id":"GHSA-f6p7-8xfw-fjqq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6p7-8xfw-fjqq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81088?format=json","purl":"pkg:composer/shopware/shopware@5.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.10"}],"aliases":["CVE-2021-32713","GHSA-7vmw-7x57-q6jw","GHSA-f6p7-8xfw-fjqq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xbth-4me7-7kdh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54164?format=json","vulnerability_id":"VCID-y3fw-krps-1ufe","summary":"Potential Session Hijacking\nPotential session hijacking of store customers.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32710","reference_id":"","reference_type":"","scores":[{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50808","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50779","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50839","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50844","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50823","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00272","scoring_system":"epss","scoring_elements":"0.50792","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32710"},{"reference_url":"https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/010c0154bea57c1fca73277c7431d029db7a972e"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://packagist.org/packages/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32710","reference_id":"CVE-2021-32710","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32710"},{"reference_url":"https://github.com/advisories/GHSA-h9q8-5gv2-v6mg","reference_id":"GHSA-h9q8-5gv2-v6mg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h9q8-5gv2-v6mg"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg","reference_id":"GHSA-h9q8-5gv2-v6mg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-h9q8-5gv2-v6mg"}],"fixed_packages":[],"aliases":["CVE-2021-32710","GHSA-h9q8-5gv2-v6mg"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y3fw-krps-1ufe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41960?format=json","vulnerability_id":"VCID-yuha-twyz-myhs","summary":"URL Redirection to Untrusted Site ('Open Redirect')\nShopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrary redirected due to incomplete URL handling in the shopware router. This issue has been resolved There is no workaround and users are advised to upgrade as soon as possible.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21651","reference_id":"","reference_type":"","scores":[{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49832","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.4979","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49852","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49861","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49843","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49814","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21651"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:34Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/a90046c765c57a46c4399dce17bd174253c32886","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:34Z/"}],"url":"https://github.com/shopware/shopware/commit/a90046c765c57a46c4399dce17bd174253c32886"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21651","reference_id":"CVE-2022-21651","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21651"},{"reference_url":"https://github.com/advisories/GHSA-c53v-qmrx-93hg","reference_id":"GHSA-c53v-qmrx-93hg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c53v-qmrx-93hg"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-c53v-qmrx-93hg","reference_id":"GHSA-c53v-qmrx-93hg","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:12:34Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-c53v-qmrx-93hg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59976?format=json","purl":"pkg:composer/shopware/shopware@5.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4t79-5g29-8kc1"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.7"}],"aliases":["CVE-2022-21651","GHSA-c53v-qmrx-93hg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yuha-twyz-myhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/109145?format=json","vulnerability_id":"VCID-zf6y-3j6j-t3fn","summary":"Shopware access control list bypassed via crafted specific URLs\n### Impact\nIf backend admin controllers are called with a certain notation, the ACL could be bypassed. Users could execute actions, which they are normally not able to do.\n\n### Patches\nWe recommend updating to the current version 5.7.15. You can get the update to 5.7.15 regularly via the Auto-Updater or directly via the download overview.\nhttps://www.shopware.com/en/changelog-sw5/#5-7-15\n\nFor older versions you can use the Security Plugin:\nhttps://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html\n\n\n### References\nhttps://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36102","reference_id":"","reference_type":"","scores":[{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.70241","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.70197","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.70239","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.70248","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.7023","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00612","scoring_system":"epss","scoring_elements":"0.70218","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36102"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-09-2022"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://github.com/shopware/shopware/commit/de92d3a78279119a5bbe203054f8fa1d25126af6"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-qc43-pgwq-3q2q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36102","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36102"},{"reference_url":"https://packagist.org/packages/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:01:00Z/"}],"url":"https://packagist.org/packages/shopware/shopware"},{"reference_url":"https://github.com/advisories/GHSA-qc43-pgwq-3q2q","reference_id":"GHSA-qc43-pgwq-3q2q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qc43-pgwq-3q2q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145627?format=json","purl":"pkg:composer/shopware/shopware@5.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.15"}],"aliases":["CVE-2022-36102","GHSA-qc43-pgwq-3q2q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zf6y-3j6j-t3fn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45507?format=json","vulnerability_id":"VCID-zk1n-spyv-2yfq","summary":"Improper Check for Unusual or Exceptional Conditions\nShopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible to construct different mail addresses, that in the end result in the same address, which is shared by multiple accounts. This issue has been addressed in version 5.7.18 and users are advised to update. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34099","reference_id":"","reference_type":"","scores":[{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33903","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33848","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33882","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33917","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33874","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34099"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-06-2023"},{"reference_url":"https://github.com/shopware5/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware"},{"reference_url":"https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://github.com/shopware5/shopware/commit/39cc714d9a0be33b43877044d0b88ea3c6b43f3d"},{"reference_url":"https://github.com/shopware5/shopware/security/advisories/GHSA-gh66-fp7j-98v5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware5/shopware/security/advisories/GHSA-gh66-fp7j-98v5"},{"reference_url":"https://www.shopware.com/en/changelog-sw5/#5-7-18","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://www.shopware.com/en/changelog-sw5/#5-7-18"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34099","reference_id":"CVE-2023-34099","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34099"},{"reference_url":"https://github.com/advisories/GHSA-gh66-fp7j-98v5","reference_id":"GHSA-gh66-fp7j-98v5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gh66-fp7j-98v5"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5","reference_id":"GHSA-gh66-fp7j-98v5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T17:02:39Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-gh66-fp7j-98v5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65787?format=json","purl":"pkg:composer/shopware/shopware@5.7.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.7.18"}],"aliases":["CVE-2023-34099","GHSA-gh66-fp7j-98v5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zk1n-spyv-2yfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54674?format=json","vulnerability_id":"VCID-zk56-4v2w-cbb6","summary":"Information Exposure\nShopware is vulnerable to system information leakage in error handling. Users are recommend to update to You can get the update to regularly via the Auto-Updater or directly via the download overview.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32712","reference_id":"","reference_type":"","scores":[{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53487","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53437","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53496","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53505","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53489","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53463","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32712"},{"reference_url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-05-2021"},{"reference_url":"https://github.com/shopware/shopware/commit/dcb24eb5ec757c991b5a4e2ddced379e5820744d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/dcb24eb5ec757c991b5a4e2ddced379e5820744d"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-9vxv-wpv4-f52p","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-9vxv-wpv4-f52p"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32712","reference_id":"CVE-2021-32712","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32712"},{"reference_url":"https://github.com/advisories/GHSA-9vxv-wpv4-f52p","reference_id":"GHSA-9vxv-wpv4-f52p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9vxv-wpv4-f52p"},{"reference_url":"https://github.com/advisories/GHSA-qwpp-fgrj-h78q","reference_id":"GHSA-qwpp-fgrj-h78q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qwpp-fgrj-h78q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/81088?format=json","purl":"pkg:composer/shopware/shopware@5.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-3pj6-heu7-hyf4"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-94q5-7zhe-7yft"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mx8y-gwwk-wqfs"},{"vulnerability":"VCID-n3h2-b79h-ukfh"},{"vulnerability":"VCID-rm5m-1su9-m3f4"},{"vulnerability":"VCID-t46e-anzc-zfde"},{"vulnerability":"VCID-t4s7-r659-pyba"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y3fw-krps-1ufe"},{"vulnerability":"VCID-yuha-twyz-myhs"},{"vulnerability":"VCID-zf6y-3j6j-t3fn"},{"vulnerability":"VCID-zk1n-spyv-2yfq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.6.10"}],"aliases":["CVE-2021-32712","GHSA-9vxv-wpv4-f52p","GHSA-qwpp-fgrj-h78q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zk56-4v2w-cbb6"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/shopware@5.5.6"}