{"url":"http://public2.vulnerablecode.io/api/packages/275035?format=json","purl":"pkg:composer/shopware/core@6.3.2.0","type":"composer","namespace":"shopware","name":"core","version":"6.3.2.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.6.10.15","latest_non_vulnerable_version":"6.7.8.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55653?format=json","vulnerability_id":"VCID-14t2-9jjh-uyhb","summary":"Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api\nThe store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON.\n\nThe processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used.\n\nThis issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42354","reference_id":"","reference_type":"","scores":[{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62558","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62557","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62543","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62567","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62559","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42354"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42354","reference_id":"CVE-2024-42354","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42354"},{"reference_url":"https://github.com/advisories/GHSA-hhcq-ph6w-494g","reference_id":"GHSA-hhcq-ph6w-494g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhcq-ph6w-494g"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g","reference_id":"GHSA-hhcq-ph6w-494g","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82367?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/756277?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/82368?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42354","GHSA-hhcq-ph6w-494g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-14t2-9jjh-uyhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54671?format=json","vulnerability_id":"VCID-1nfq-1dnh-x3hj","summary":"Information Exposure\nShopware is an open source eCommerce platform.Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32711","reference_id":"","reference_type":"","scores":[{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60093","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60131","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60113","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.6013","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60143","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.6014","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32711"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351"},{"reference_url":"https://github.com/shopware/platform/commit/157fb84a8b3b4ace4be165a033d559826704829b","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/157fb84a8b3b4ace4be165a033d559826704829b"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-f2vv-h5x4-57gr"},{"reference_url":"https://packagist.org/packages/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32711","reference_id":"CVE-2021-32711","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32711"},{"reference_url":"https://github.com/advisories/GHSA-2p89-5f22-8qvf","reference_id":"GHSA-2p89-5f22-8qvf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p89-5f22-8qvf"},{"reference_url":"https://github.com/advisories/GHSA-f2vv-h5x4-57gr","reference_id":"GHSA-f2vv-h5x4-57gr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2vv-h5x4-57gr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/300168?format=json","purl":"pkg:composer/shopware/core@6.3.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-7hse-bftv-dudy"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-d8zx-6gre-43bf"},{"vulnerability":"VCID-daqf-77y8-dya1"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-vajj-mrd3-kkfh"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-w85b-b7st-y3bq"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-x5r9-wrf3-myc5"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81094?format=json","purl":"pkg:composer/shopware/core@6.3.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.5%252B1"}],"aliases":["CVE-2021-32711","GHSA-2p89-5f22-8qvf","GHSA-f2vv-h5x4-57gr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1nfq-1dnh-x3hj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53719?format=json","vulnerability_id":"VCID-22r5-szkg-cfew","summary":"### Impact\nAuthenticated XML External Entity Processing\n\n### Patches\nWe recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020","references":[{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://snyk.io/vuln/SNYK-PHP-SHOPWAREPLATFORM-1019470","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-PHP-SHOPWAREPLATFORM-1019470"},{"reference_url":"https://github.com/advisories/GHSA-8xv9-qcr9-ww9j","reference_id":"GHSA-8xv9-qcr9-ww9j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xv9-qcr9-ww9j"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-8xv9-qcr9-ww9j","reference_id":"GHSA-8xv9-qcr9-ww9j","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-8xv9-qcr9-ww9j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78961?format=json","purl":"pkg:composer/shopware/core@6.3.2%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.2%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["GHSA-8xv9-qcr9-ww9j","GMS-2020-587","GMS-2020-594"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-22r5-szkg-cfew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41318?format=json","vulnerability_id":"VCID-2bzu-jddv-q7gy","summary":"Cross-site Scripting\nShopware is an open source eCommerce platform. contain a Cross-Site Scripting vulnerability via SVG media files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37710","reference_id":"","reference_type":"","scores":[{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55362","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55393","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55412","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55423","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0032","scoring_system":"epss","scoring_elements":"0.55418","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37710"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/abe9f69e1f667800f974acccd3047b4930e4b423"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-fc38-mxwr-pfhx","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-fc38-mxwr-pfhx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37710","reference_id":"CVE-2021-37710","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37710"},{"reference_url":"https://github.com/advisories/GHSA-fc38-mxwr-pfhx","reference_id":"GHSA-fc38-mxwr-pfhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fc38-mxwr-pfhx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58709?format=json","purl":"pkg:composer/shopware/core@6.4.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2021-37710","GHSA-fc38-mxwr-pfhx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2bzu-jddv-q7gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53720?format=json","vulnerability_id":"VCID-38pe-b8nt-73gm","summary":"### Impact\n Denial of Service via Cache Flooding\n\n### Patches\nWe recommend to update to the current version 6.3.2.1. You can get the update to 6.3.2.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-10-2020","references":[{"reference_url":"https://github.com/advisories/GHSA-p68v-frgx-4rjp","reference_id":"GHSA-p68v-frgx-4rjp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p68v-frgx-4rjp"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-p68v-frgx-4rjp","reference_id":"GHSA-p68v-frgx-4rjp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-p68v-frgx-4rjp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78961?format=json","purl":"pkg:composer/shopware/core@6.3.2%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.2%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["GHSA-p68v-frgx-4rjp","GMS-2020-589","GMS-2020-596"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-38pe-b8nt-73gm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54665?format=json","vulnerability_id":"VCID-4fkz-vqwt-c3f4","summary":"Missing Authentication for Critical Function\nShopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recommend to update to the current You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions of, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32709","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39947","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39994","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.39977","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40004","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40032","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40029","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32709"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-g7w8-pp9w-7p32"},{"reference_url":"https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659"},{"reference_url":"https://www.shopware.com/en/changelog/#6-4-1-1","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/changelog/#6-4-1-1"},{"reference_url":"https://www.shopware.com/en/download/#shopware-6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/download/#shopware-6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32709","reference_id":"CVE-2021-32709","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32709"},{"reference_url":"https://github.com/advisories/GHSA-g7w8-pp9w-7p32","reference_id":"GHSA-g7w8-pp9w-7p32","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7w8-pp9w-7p32"},{"reference_url":"https://github.com/advisories/GHSA-p696-gf58-9w97","reference_id":"GHSA-p696-gf58-9w97","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p696-gf58-9w97"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/528123?format=json","purl":"pkg:composer/shopware/core@6.4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81089?format=json","purl":"pkg:composer/shopware/core@6.4.1%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1%252B1"}],"aliases":["CVE-2021-32709","GHSA-g7w8-pp9w-7p32","GHSA-p696-gf58-9w97"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4fkz-vqwt-c3f4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44969?format=json","vulnerability_id":"VCID-4m2y-d8vg-b7fj","summary":"Improper Control of Generation of Code ('Code Injection')\nServer-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\\Core\\Framework\\Adapter\\Twig\\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2017","reference_id":"","reference_type":"","scores":[{"value":"0.02271","scoring_system":"epss","scoring_elements":"0.84976","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02271","scoring_system":"epss","scoring_elements":"0.84974","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02271","scoring_system":"epss","scoring_elements":"0.8496","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02271","scoring_system":"epss","scoring_elements":"0.84969","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02271","scoring_system":"epss","scoring_elements":"0.84971","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2017"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/releases/tag/v6.4.20.1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/releases/tag/v6.4.20.1"},{"reference_url":"https://starlabs.sg/advisories/23/23-2017","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://starlabs.sg/advisories/23/23-2017"},{"reference_url":"https://starlabs.sg/advisories/23/23-2017/","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/"}],"url":"https://starlabs.sg/advisories/23/23-2017/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2017","reference_id":"CVE-2023-2017","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2017"},{"reference_url":"https://github.com/advisories/GHSA-7v2v-9rm4-7m8f","reference_id":"GHSA-7v2v-9rm4-7m8f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7v2v-9rm4-7m8f"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f","reference_id":"GHSA-7v2v-9rm4-7m8f","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:46:34Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f","reference_id":"GHSA-7v2v-9rm4-7m8f","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/647080?format=json","purl":"pkg:composer/shopware/core@6.4.20.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.20.1"},{"url":"http://public2.vulnerablecode.io/api/packages/64799?format=json","purl":"pkg:composer/shopware/core@6.4.20%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.20%252B1"}],"aliases":["CVE-2023-2017","GHSA-7v2v-9rm4-7m8f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4m2y-d8vg-b7fj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57104?format=json","vulnerability_id":"VCID-5f2j-cjfz-13a6","summary":"Shopware Broken ACL on Document retrieval to access other customers documents\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"GHSA-68wv-g3fw-pq7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"GHSA-68wv-g3fw-pq7q","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84783?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkbu-cs9b-5kdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813729?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84780?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813731?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vk-35pw-p7bq"},{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84781?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"}],"aliases":["GHSA-68wv-g3fw-pq7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5f2j-cjfz-13a6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44219?format=json","vulnerability_id":"VCID-6ag9-41qf-7kg1","summary":"Insufficient Session Expiration\nShopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time. In version 6.4.18.1 an automatic logout into the Administration session has been added. As a result the user will be logged out when they are inactive. Users are advised to upgrade. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22732","reference_id":"","reference_type":"","scores":[{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61509","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61463","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61511","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61517","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61506","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61489","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22732"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/"}],"url":"https://github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22732","reference_id":"CVE-2023-22732","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22732"},{"reference_url":"https://github.com/advisories/GHSA-59qg-93jg-236f","reference_id":"GHSA-59qg-93jg-236f","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-59qg-93jg-236f"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f","reference_id":"GHSA-59qg-93jg-236f","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:48Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/631852?format=json","purl":"pkg:composer/shopware/core@6.4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63582?format=json","purl":"pkg:composer/shopware/core@6.4.18%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1"}],"aliases":["CVE-2023-22732","GHSA-59qg-93jg-236f"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6ag9-41qf-7kg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54668?format=json","vulnerability_id":"VCID-7hse-bftv-dudy","summary":"Information Exposure\nShopware is an open source eCommerce platform. the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32716","reference_id":"","reference_type":"","scores":[{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54342","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54309","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54366","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54375","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54364","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32716"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021"},{"reference_url":"https://github.com/shopware/platform/commit/b5c3ce3e93bd121324d72aa9d367cb636ff1c0eb","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/b5c3ce3e93bd121324d72aa9d367cb636ff1c0eb"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-gpmh-g94g-qrhr","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-gpmh-g94g-qrhr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32716","reference_id":"CVE-2021-32716","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32716"},{"reference_url":"https://github.com/advisories/GHSA-68v9-3jjq-rvp4","reference_id":"GHSA-68v9-3jjq-rvp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68v9-3jjq-rvp4"},{"reference_url":"https://github.com/advisories/GHSA-gpmh-g94g-qrhr","reference_id":"GHSA-gpmh-g94g-qrhr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gpmh-g94g-qrhr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/528123?format=json","purl":"pkg:composer/shopware/core@6.4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81089?format=json","purl":"pkg:composer/shopware/core@6.4.1%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1%252B1"}],"aliases":["CVE-2021-32716","GHSA-68v9-3jjq-rvp4","GHSA-gpmh-g94g-qrhr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7hse-bftv-dudy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55658?format=json","vulnerability_id":"VCID-8a7v-6u8f-1bgw","summary":"Shopware vulnerable to Server Side Template Injection in Twig using Context functions\nThe `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function.\n\nExample call from PHP:\n\n```php\n$context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void {\n$fileBlob = $mediaService->loadFile($media->getId(), $context);\n});\n```\n\nThis function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method.\n\nIt's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42356","reference_id":"","reference_type":"","scores":[{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62857","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62872","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62882","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62873","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42356"},{"reference_url":"https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42356","reference_id":"CVE-2024-42356","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42356"},{"reference_url":"https://github.com/advisories/GHSA-35jp-8cgg-p4wj","reference_id":"GHSA-35jp-8cgg-p4wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-35jp-8cgg-p4wj"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj","reference_id":"GHSA-35jp-8cgg-p4wj","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82367?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/756277?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/82368?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42356","GHSA-35jp-8cgg-p4wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8a7v-6u8f-1bgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53902?format=json","vulnerability_id":"VCID-8uw6-1xqy-xbd3","summary":"### Impact\nAuthenticated Privilege Escalation\n\n### Patches\nWe recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020","references":[{"reference_url":"https://github.com/advisories/GHSA-5q58-x5h2-v5rx","reference_id":"GHSA-5q58-x5h2-v5rx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5q58-x5h2-v5rx"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-5q58-x5h2-v5rx","reference_id":"GHSA-5q58-x5h2-v5rx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-5q58-x5h2-v5rx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/282456?format=json","purl":"pkg:composer/shopware/core@6.3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-7hse-bftv-dudy"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-d8zx-6gre-43bf"},{"vulnerability":"VCID-daqf-77y8-dya1"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-vajj-mrd3-kkfh"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-w85b-b7st-y3bq"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-x5r9-wrf3-myc5"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79397?format=json","purl":"pkg:composer/shopware/core@6.3.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.4%252B1"}],"aliases":["GHSA-5q58-x5h2-v5rx","GMS-2020-585","GMS-2020-592"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8uw6-1xqy-xbd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48092?format=json","vulnerability_id":"VCID-9ksd-2p9q-bkbx","summary":"Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice\nServer-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the\norganization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4"},{"reference_url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/892807?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k46b-gxuz-vyb7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71037?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892810?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71036?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"}],"aliases":["GHSA-3cpp-fv95-mpr5"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ksd-2p9q-bkbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46840?format=json","vulnerability_id":"VCID-a22b-gnbv-skec","summary":"Improper Access Control\nShopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22407","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28712","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28608","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28601","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28634","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28671","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22407"},{"reference_url":"https://github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/core/commit/78142489264f9262eaaa436ba036df40026a06be"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/fb25e24ca51650009ffa2520f1e67b48b911354a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22407","reference_id":"CVE-2024-22407","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22407"},{"reference_url":"https://github.com/advisories/GHSA-3867-jc5c-66qf","reference_id":"GHSA-3867-jc5c-66qf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3867-jc5c-66qf"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf","reference_id":"GHSA-3867-jc5c-66qf","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T16:09:33Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/708017?format=json","purl":"pkg:composer/shopware/core@6.5.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7.4"},{"url":"http://public2.vulnerablecode.io/api/packages/68536?format=json","purl":"pkg:composer/shopware/core@6.5.7%2B4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7%252B4"}],"aliases":["CVE-2024-22407","GHSA-3867-jc5c-66qf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a22b-gnbv-skec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41317?format=json","vulnerability_id":"VCID-a9x5-7d88-x3gy","summary":"Command Injection\nShopware is an open source eCommerce platform. contain a command injection vulnerability in mail agent settings.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37708","reference_id":"","reference_type":"","scores":[{"value":"0.07808","scoring_system":"epss","scoring_elements":"0.92122","published_at":"2026-06-04T12:55:00Z"},{"value":"0.07808","scoring_system":"epss","scoring_elements":"0.92145","published_at":"2026-06-09T12:55:00Z"},{"value":"0.07808","scoring_system":"epss","scoring_elements":"0.92131","published_at":"2026-06-08T12:55:00Z"},{"value":"0.07808","scoring_system":"epss","scoring_elements":"0.92132","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07808","scoring_system":"epss","scoring_elements":"0.92134","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37708"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/82d8d1995f6ce9054323b2c3522b1b3cf04853aa","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/82d8d1995f6ce9054323b2c3522b1b3cf04853aa"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-xh55-2fqp-p775","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-xh55-2fqp-p775"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37708","reference_id":"CVE-2021-37708","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37708"},{"reference_url":"https://github.com/advisories/GHSA-xh55-2fqp-p775","reference_id":"GHSA-xh55-2fqp-p775","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh55-2fqp-p775"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58709?format=json","purl":"pkg:composer/shopware/core@6.4.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2021-37708","GHSA-xh55-2fqp-p775"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a9x5-7d88-x3gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50873?format=json","vulnerability_id":"VCID-avzz-tczy-y7d3","summary":"Shopware vulnerable to a potential take over of app credentials\nWe identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop.\nWe have no evidence that this vulnerability has been exploited.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26188","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26138","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26132","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26234","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26241","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889","reference_id":"CVE-2026-31889","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889"},{"reference_url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74830?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/980965?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/74829?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/980970?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31889","GHSA-c4p7-rwrg-pf6p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-avzz-tczy-y7d3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42601?format=json","vulnerability_id":"VCID-brge-9sbd-r3b6","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it is possible to inject code via the voucher code form. This issue has been patched in version 6.4.8.1. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24746","reference_id":"","reference_type":"","scores":[{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60885","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60929","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60912","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.6093","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60941","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00397","scoring_system":"epss","scoring_elements":"0.60933","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24746"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:19Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/651598a61073cbe59368e311817bdc6e7fb349c6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:19Z/"}],"url":"https://github.com/shopware/platform/commit/651598a61073cbe59368e311817bdc6e7fb349c6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24746","reference_id":"CVE-2022-24746","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24746"},{"reference_url":"https://github.com/advisories/GHSA-952p-fqcp-g8pc","reference_id":"GHSA-952p-fqcp-g8pc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-952p-fqcp-g8pc"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-952p-fqcp-g8pc","reference_id":"GHSA-952p-fqcp-g8pc","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:19Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-952p-fqcp-g8pc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/561968?format=json","purl":"pkg:composer/shopware/core@6.4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/60924?format=json","purl":"pkg:composer/shopware/core@6.4.8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-pzgj-ayv2-aygj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.8%252B1"}],"aliases":["CVE-2022-24746","GHSA-952p-fqcp-g8pc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-brge-9sbd-r3b6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42604?format=json","vulnerability_id":"VCID-bzfr-72q4-vfbh","summary":"Insufficient Session Expiration\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24744","reference_id":"","reference_type":"","scores":[{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36595","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36569","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36559","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36529","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36632","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36624","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24744"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2022?category=security-updates"},{"reference_url":"https://github.com/shopware/core/commit/324cd1b57db58481df1b1d0030ffc307e2d9fe64","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/core/commit/324cd1b57db58481df1b1d0030ffc307e2d9fe64"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/47b4b094c13f62db860be2f431138bb45c0bd0b6","reference_id":"","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/47b4b094c13f62db860be2f431138bb45c0bd0b6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24744","reference_id":"CVE-2022-24744","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24744"},{"reference_url":"https://github.com/advisories/GHSA-w267-m9c4-8555","reference_id":"GHSA-w267-m9c4-8555","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w267-m9c4-8555"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555","reference_id":"GHSA-w267-m9c4-8555","reference_type":"","scores":[{"value":"2.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:14Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-w267-m9c4-8555"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/561968?format=json","purl":"pkg:composer/shopware/core@6.4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/60924?format=json","purl":"pkg:composer/shopware/core@6.4.8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-pzgj-ayv2-aygj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.8%252B1"}],"aliases":["CVE-2022-24744","GHSA-w267-m9c4-8555"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzfr-72q4-vfbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54679?format=json","vulnerability_id":"VCID-d8zx-6gre-43bf","summary":"### Impact\nnon-admin users can create integration role with administrator role\n\n### Patches\nWe recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659","references":[{"reference_url":"https://github.com/advisories/GHSA-243q-g9j3-qf6r","reference_id":"GHSA-243q-g9j3-qf6r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-243q-g9j3-qf6r"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-243q-g9j3-qf6r","reference_id":"GHSA-243q-g9j3-qf6r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-243q-g9j3-qf6r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/528123?format=json","purl":"pkg:composer/shopware/core@6.4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81089?format=json","purl":"pkg:composer/shopware/core@6.4.1%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1%252B1"}],"aliases":["GHSA-243q-g9j3-qf6r","GMS-2021-118","GMS-2021-123"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d8zx-6gre-43bf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54667?format=json","vulnerability_id":"VCID-daqf-77y8-dya1","summary":"Information Exposure\nShopware is an open source eCommerce platform. private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32717","reference_id":"","reference_type":"","scores":[{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56249","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.563","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56281","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56297","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56311","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0033","scoring_system":"epss","scoring_elements":"0.56304","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32717"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32717","reference_id":"CVE-2021-32717","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32717"},{"reference_url":"https://github.com/advisories/GHSA-6gr8-c3m5-mvrg","reference_id":"GHSA-6gr8-c3m5-mvrg","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6gr8-c3m5-mvrg"},{"reference_url":"https://github.com/advisories/GHSA-vrf2-xghr-j52v","reference_id":"GHSA-vrf2-xghr-j52v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vrf2-xghr-j52v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/528123?format=json","purl":"pkg:composer/shopware/core@6.4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81089?format=json","purl":"pkg:composer/shopware/core@6.4.1%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1%252B1"}],"aliases":["CVE-2021-32717","GHSA-6gr8-c3m5-mvrg","GHSA-vrf2-xghr-j52v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-daqf-77y8-dya1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41319?format=json","vulnerability_id":"VCID-ef55-3mp4-7khx","summary":"Inclusion of Sensitive Information in Log Files\nShopware is an open source eCommerce platform. contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37709","reference_id":"","reference_type":"","scores":[{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.4441","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.4438","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44449","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44457","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44433","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44398","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37709"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37709","reference_id":"CVE-2021-37709","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37709"},{"reference_url":"https://github.com/advisories/GHSA-54gp-qff8-946c","reference_id":"GHSA-54gp-qff8-946c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-54gp-qff8-946c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58709?format=json","purl":"pkg:composer/shopware/core@6.4.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2021-37709","GHSA-54gp-qff8-946c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ef55-3mp4-7khx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57105?format=json","vulnerability_id":"VCID-fkbu-cs9b-5kdq","summary":"Shopware 6 allows attackers to check for registered accounts through the store-api\nThrough the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.\n\nUsing the store-api endpoint `/store-api/account/recovery-password` you get the response\n```\n{\"errors\":[{\"status\":\"404\",\"code\":\"CHECKOUT__CUSTOMER_NOT_FOUND\",\"title\":\"Not Found\",\"detail\":\"No matching customer for the email \\u0022asdasfd@asdads.de\\u0022 was found.\",\"meta\":{\"parameters\":{\"email\":\"asdasfd@asdads.de\"}}}]}\n```\n\nwhich indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150","reference_id":"","reference_type":"","scores":[{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74586","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74563","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74581","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74592","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74589","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150","reference_id":"CVE-2025-30150","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150"},{"reference_url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84782?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813729?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84780?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813731?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vk-35pw-p7bq"},{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84781?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-30150","GHSA-hh7j-6x3q-f52h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fkbu-cs9b-5kdq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41315?format=json","vulnerability_id":"VCID-fwh2-p73c-wkg5","summary":"Improper Input Validation\nShopware is an open source eCommerce platform. contain a vulnerability that allows manipulation of product reviews via API. contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37707","reference_id":"","reference_type":"","scores":[{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44032","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44005","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44075","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44083","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44058","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44022","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37707"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/912b96de3b839c6c5525c98cbb58f537c2d838be"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-9f8f-574q-8jmf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37707","reference_id":"CVE-2021-37707","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37707"},{"reference_url":"https://github.com/advisories/GHSA-9f8f-574q-8jmf","reference_id":"GHSA-9f8f-574q-8jmf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9f8f-574q-8jmf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58709?format=json","purl":"pkg:composer/shopware/core@6.4.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2021-37707","GHSA-9f8f-574q-8jmf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fwh2-p73c-wkg5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44218?format=json","vulnerability_id":"VCID-gqq9-fu97-yycr","summary":"Insertion of Sensitive Information into Log File\nShopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would write out all kind of sent mails. An attacker with access to either the local system logs or a centralized logging store may have access to other users accounts. This issue has been addressed in version 6.4.18.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. Users unable to upgrade may remove from all users the log module ACL rights or disable logging.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22733","reference_id":"","reference_type":"","scores":[{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53716","published_at":"2026-06-05T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53689","published_at":"2026-06-08T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53712","published_at":"2026-06-09T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53658","published_at":"2026-06-04T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53725","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22733"},{"reference_url":"https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/"}],"url":"https://developer.shopware.com/docs/guides/hosting/performance/performance-tweaks#logging"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/"}],"url":"https://github.com/shopware/platform/commit/407a83063d7141c1a626441799c3ebef79498c07"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22733","reference_id":"CVE-2023-22733","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22733"},{"reference_url":"https://github.com/advisories/GHSA-7cp7-jfp6-jh4f","reference_id":"GHSA-7cp7-jfp6-jh4f","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cp7-jfp6-jh4f"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f","reference_id":"GHSA-7cp7-jfp6-jh4f","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:45Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-7cp7-jfp6-jh4f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/631852?format=json","purl":"pkg:composer/shopware/core@6.4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63582?format=json","purl":"pkg:composer/shopware/core@6.4.18%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1"}],"aliases":["CVE-2023-22733","GHSA-7cp7-jfp6-jh4f"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gqq9-fu97-yycr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42599?format=json","vulnerability_id":"VCID-guds-2g3f-kqdu","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24747","reference_id":"","reference_type":"","scores":[{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56006","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55954","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56009","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56014","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.56001","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55985","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24747"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:22Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:22Z/"}],"url":"https://github.com/shopware/platform/commit/d51863148f32306aafdbc7f9f48887c69fce206f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24747","reference_id":"CVE-2022-24747","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24747"},{"reference_url":"https://github.com/advisories/GHSA-6wrh-279j-6hvw","reference_id":"GHSA-6wrh-279j-6hvw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wrh-279j-6hvw"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw","reference_id":"GHSA-6wrh-279j-6hvw","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:09:22Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-6wrh-279j-6hvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60916?format=json","purl":"pkg:composer/shopware/core@6.4.8%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.8%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2022-24747","GHSA-6wrh-279j-6hvw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-guds-2g3f-kqdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55657?format=json","vulnerability_id":"VCID-hq7q-hbbd-7yea","summary":"Shopware vulnerable to blind SQL-injection in DAL aggregations\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42357","reference_id":"","reference_type":"","scores":[{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74739","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74742","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74716","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74732","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74744","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42357"},{"reference_url":"https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42357","reference_id":"CVE-2024-42357","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42357"},{"reference_url":"https://github.com/advisories/GHSA-p6w9-r443-r752","reference_id":"GHSA-p6w9-r443-r752","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6w9-r443-r752"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752","reference_id":"GHSA-p6w9-r443-r752","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82367?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/756277?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/82368?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42357","GHSA-p6w9-r443-r752"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hq7q-hbbd-7yea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48095?format=json","vulnerability_id":"VCID-hydh-s4nh-2bct","summary":"Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually\nIn Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/892807?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k46b-gxuz-vyb7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71037?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892810?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71036?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"}],"aliases":["GHSA-m895-2hj3-8cg9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hydh-s4nh-2bct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41770?format=json","vulnerability_id":"VCID-hyjy-jt8a-xqfu","summary":"Webcache Poisoning in shopware/platform and shopware/core\nWebcache Poisoning via X-Forwarded-Prefix and sub-request Patches.","references":[{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/9062f15450d183f2c666664841efd4f5ef25e0f3","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/9062f15450d183f2c666664841efd4f5ef25e0f3"},{"reference_url":"https://github.com/advisories/GHSA-r64m-qchj-hrjp","reference_id":"GHSA-r64m-qchj-hrjp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r64m-qchj-hrjp"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-r64m-qchj-hrjp","reference_id":"GHSA-r64m-qchj-hrjp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-r64m-qchj-hrjp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59667?format=json","purl":"pkg:composer/shopware/core@6.4.6%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.6%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["GHSA-r64m-qchj-hrjp","GMS-2021-121","GMS-2021-128"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyjy-jt8a-xqfu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48382?format=json","vulnerability_id":"VCID-k46b-gxuz-vyb7","summary":"Shopware 6's password recovery link does not expire after email change\nWhen a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email) remains valid. An attacker with access to the old email inbox is potentially able to reset the customer’s password even after the user changes their email address.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13"},{"reference_url":"https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.9","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.9"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.4.1","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.4.1"},{"reference_url":"https://github.com/advisories/GHSA-2w46-vq8h-98vh","reference_id":"GHSA-2w46-vq8h-98vh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2w46-vq8h-98vh"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh","reference_id":"GHSA-2w46-vq8h-98vh","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71415?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B9"},{"url":"http://public2.vulnerablecode.io/api/packages/898257?format=json","purl":"pkg:composer/shopware/core@6.6.10.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.9"},{"url":"http://public2.vulnerablecode.io/api/packages/898259?format=json","purl":"pkg:composer/shopware/core@6.7.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71416?format=json","purl":"pkg:composer/shopware/core@6.7.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1"}],"aliases":["GHSA-2w46-vq8h-98vh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k46b-gxuz-vyb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44213?format=json","vulnerability_id":"VCID-mjqw-k8vw-a3f5","summary":"Improper Input Validation\nShopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put the same line item multiple times in the cart using the AP. The Cart Validators checked the line item's individuality and the user was able to bypass quantity limits in sales. This problem has been fixed with version 6.4.18.1. Users on major versions 6.1, 6.2, and 6.3 may also obtain this fix via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22730","reference_id":"","reference_type":"","scores":[{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53444","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53495","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53471","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53496","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53513","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53503","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22730"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/4fce12096e54b2033832d9104fa2e68888c2b4e9","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/"}],"url":"https://github.com/shopware/platform/commit/4fce12096e54b2033832d9104fa2e68888c2b4e9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22730","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22730"},{"reference_url":"https://github.com/advisories/GHSA-8r6h-m72v-38fg","reference_id":"GHSA-8r6h-m72v-38fg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8r6h-m72v-38fg"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-8r6h-m72v-38fg","reference_id":"GHSA-8r6h-m72v-38fg","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:33Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-8r6h-m72v-38fg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/631852?format=json","purl":"pkg:composer/shopware/core@6.4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63582?format=json","purl":"pkg:composer/shopware/core@6.4.18%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1"}],"aliases":["CVE-2023-22730","GHSA-8r6h-m72v-38fg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mjqw-k8vw-a3f5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42938?format=json","vulnerability_id":"VCID-mnvh-4mq4-hkeh","summary":"Incorrect Permission Assignment for Critical Resource\nShopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api are still usable within normal user session. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24872","reference_id":"","reference_type":"","scores":[{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40492","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.4053","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40546","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40574","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40571","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00189","scoring_system":"epss","scoring_elements":"0.40516","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24872"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24872","reference_id":"CVE-2022-24872","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24872"},{"reference_url":"https://github.com/advisories/GHSA-9wrv-g75h-8ccc","reference_id":"GHSA-9wrv-g75h-8ccc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9wrv-g75h-8ccc"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc","reference_id":"GHSA-9wrv-g75h-8ccc","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-9wrv-g75h-8ccc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61426?format=json","purl":"pkg:composer/shopware/core@6.4.10%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.10%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2022-24872","GHSA-9wrv-g75h-8ccc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mnvh-4mq4-hkeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48094?format=json","vulnerability_id":"VCID-mtmv-v5sx-eqg7","summary":"Shopware Customer Orders can be canceled, even if refunds are disabled\nRefunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller):\n https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 \n https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php \n\nTo mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592"},{"reference_url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/892807?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k46b-gxuz-vyb7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71037?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892810?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71036?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"}],"aliases":["GHSA-r2vg-hvjm-fg38"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mtmv-v5sx-eqg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53903?format=json","vulnerability_id":"VCID-n6pq-9vew-2uhy","summary":"### Impact\nAuthenticated Server Side Request Forgery\n\n### Patches\nWe recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020\n\n### Credits\nWe would like to thank <a rel=\"noopener\" href=\"https://reqon.nl\">REQON B.V.</a> for reporting this issue.","references":[{"reference_url":"https://github.com/advisories/GHSA-8pfh-mm2g-hmc3","reference_id":"GHSA-8pfh-mm2g-hmc3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8pfh-mm2g-hmc3"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-8pfh-mm2g-hmc3","reference_id":"GHSA-8pfh-mm2g-hmc3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-8pfh-mm2g-hmc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/282456?format=json","purl":"pkg:composer/shopware/core@6.3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-7hse-bftv-dudy"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-d8zx-6gre-43bf"},{"vulnerability":"VCID-daqf-77y8-dya1"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-vajj-mrd3-kkfh"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-w85b-b7st-y3bq"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-x5r9-wrf3-myc5"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79397?format=json","purl":"pkg:composer/shopware/core@6.3.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.4%252B1"}],"aliases":["GHSA-8pfh-mm2g-hmc3","GMS-2020-586","GMS-2020-593"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n6pq-9vew-2uhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57117?format=json","vulnerability_id":"VCID-p1jm-k5y2-h3bp","summary":"Shopware default newsletter opt-in settings allow for mass sign-up abuse\nCurrently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation.\n\nDefault settings are:\n\nNewsletter: Double Opt-in - active\n\nNewsletter: Double opt-in for registered customers - disabled\n\nLog-in & sign-up: Double opt-in on sign-up - disabled\n\nWith these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63598","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63604","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63584","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63596","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63605","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378","reference_id":"CVE-2025-32378","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378"},{"reference_url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/814023?format=json","purl":"pkg:composer/shopware/core@6.5.8.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.17"},{"url":"http://public2.vulnerablecode.io/api/packages/84783?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkbu-cs9b-5kdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/813729?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84780?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813731?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vk-35pw-p7bq"},{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84781?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-32378","GHSA-4h9w-7vfp-px8m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p1jm-k5y2-h3bp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42600?format=json","vulnerability_id":"VCID-pzgj-ayv2-aygj","summary":"Improper Authentication\nShopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24748","reference_id":"","reference_type":"","scores":[{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44912","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44875","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44945","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44951","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.4493","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00222","scoring_system":"epss","scoring_elements":"0.44902","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24748"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022?_ga=2.27683580.172848620.1646933022-368790926.1646933022","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-03-2022?_ga=2.27683580.172848620.1646933022-368790926.1646933022"},{"reference_url":"https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:22Z/"}],"url":"https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24748","reference_id":"CVE-2022-24748","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24748"},{"reference_url":"https://github.com/advisories/GHSA-83vp-6jqg-6cmr","reference_id":"GHSA-83vp-6jqg-6cmr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-83vp-6jqg-6cmr"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr","reference_id":"GHSA-83vp-6jqg-6cmr","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:22Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60916?format=json","purl":"pkg:composer/shopware/core@6.4.8%2B2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.8%252B2"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2022-24748","GHSA-83vp-6jqg-6cmr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pzgj-ayv2-aygj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48090?format=json","vulnerability_id":"VCID-q5p6-3znn-s3ab","summary":"Shopware exposes sensitive user information via CSV export mapping\nSensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:\n• Data regarding other users, such as usernames and/or e-mail addresses\n• Sensitive commercial data such as customer names\n• Technical details about the website and/or the underlying infrastructure\nDisclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083"},{"reference_url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/892807?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k46b-gxuz-vyb7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71037?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892810?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71036?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"}],"aliases":["GHSA-27c9-vp3w-6ww8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q5p6-3znn-s3ab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41320?format=json","vulnerability_id":"VCID-qqvx-y8cd-2yhv","summary":"Server-Side Request Forgery (SSRF)\nShopware contains an authenticated server-side request forgery vulnerability in file upload via URL.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37711","reference_id":"","reference_type":"","scores":[{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67155","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67124","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67165","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67172","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67156","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67139","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37711"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-gcvv-gq92-x94r","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-gcvv-gq92-x94r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37711","reference_id":"CVE-2021-37711","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37711"},{"reference_url":"https://github.com/advisories/GHSA-gcvv-gq92-x94r","reference_id":"GHSA-gcvv-gq92-x94r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gcvv-gq92-x94r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58709?format=json","purl":"pkg:composer/shopware/core@6.4.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2021-37711","GHSA-gcvv-gq92-x94r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qqvx-y8cd-2yhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55654?format=json","vulnerability_id":"VCID-rxhq-fukk-93ek","summary":"Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag\nShopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag.\nIt accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42355","reference_id":"","reference_type":"","scores":[{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77937","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77918","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77929","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77938","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77932","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42355"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355","reference_id":"CVE-2024-42355","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355"},{"reference_url":"https://github.com/advisories/GHSA-27wp-jvhw-v4xp","reference_id":"GHSA-27wp-jvhw-v4xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27wp-jvhw-v4xp"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp","reference_id":"GHSA-27wp-jvhw-v4xp","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82367?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/756277?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/82368?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42355","GHSA-27wp-jvhw-v4xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rxhq-fukk-93ek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50860?format=json","vulnerability_id":"VCID-sufc-w77t-pufy","summary":"Shopware: Unauthenticated data extraction possible through store-api.order endpoint\nAn insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15906","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15841","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1582","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15948","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15958","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887","reference_id":"CVE-2026-31887","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887"},{"reference_url":"https://github.com/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vvp-j573-5584"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74830?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/980965?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/74829?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/980970?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31887","GHSA-7vvp-j573-5584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sufc-w77t-pufy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44214?format=json","vulnerability_id":"VCID-t2hg-m8tr-7fgf","summary":"Improper Input Validation\nShopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was not checked properly, and it was possible to skip the complete double opt in process. As a result operators may have inconsistencies in their newsletter systems. This problem has been fixed with version 6.4.18.1. Users are advised to upgrade. Users unable to upgrade may find security measures are available via a plugin for major versions 6.1, 6.2, and 6.3. Users may also disable newsletter registration completely.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22734","reference_id":"","reference_type":"","scores":[{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53495","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53444","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53503","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53513","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53496","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53471","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22734"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/"}],"url":"https://github.com/shopware/platform/commit/f5a95ee2bcf1e546878450963ef1d9886e59a620"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22734","reference_id":"CVE-2023-22734","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22734"},{"reference_url":"https://github.com/advisories/GHSA-46h7-vj7x-fxg2","reference_id":"GHSA-46h7-vj7x-fxg2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-46h7-vj7x-fxg2"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2","reference_id":"GHSA-46h7-vj7x-fxg2","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:59:51Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-46h7-vj7x-fxg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/631852?format=json","purl":"pkg:composer/shopware/core@6.4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63582?format=json","purl":"pkg:composer/shopware/core@6.4.18%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1"}],"aliases":["CVE-2023-22734","GHSA-46h7-vj7x-fxg2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t2hg-m8tr-7fgf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50862?format=json","vulnerability_id":"VCID-tahr-n29c-v3fw","summary":"Shopware has user enumeration via distinct error codes on Store API login endpoint\nThe Store API login endpoint (`POST /store-api/account/login`) returns different error codes depending on whether the submitted email address belongs to a registered customer (`CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS`) or is unknown (`CHECKOUT__CUSTOMER_NOT_FOUND`). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17454","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17391","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17374","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.1749","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17495","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888","reference_id":"CVE-2026-31888","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888"},{"reference_url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74830?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/980965?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/74829?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/980970?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31888","GHSA-gqc5-xv7m-gcjq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tahr-n29c-v3fw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46841?format=json","vulnerability_id":"VCID-v51t-h468-37ez","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\nShopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22406","reference_id":"","reference_type":"","scores":[{"value":"0.00415","scoring_system":"epss","scoring_elements":"0.62054","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00415","scoring_system":"epss","scoring_elements":"0.62044","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00415","scoring_system":"epss","scoring_elements":"0.62027","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00415","scoring_system":"epss","scoring_elements":"0.62043","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00415","scoring_system":"epss","scoring_elements":"0.62047","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22406"},{"reference_url":"https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.7.4","reference_id":"","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.7.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22406","reference_id":"CVE-2024-22406","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22406"},{"reference_url":"https://github.com/advisories/GHSA-qmp9-2xwj-m6m9","reference_id":"GHSA-qmp9-2xwj-m6m9","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qmp9-2xwj-m6m9"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9","reference_id":"GHSA-qmp9-2xwj-m6m9","reference_type":"","scores":[{"value":"9.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T15:42:55Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/708017?format=json","purl":"pkg:composer/shopware/core@6.5.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7.4"},{"url":"http://public2.vulnerablecode.io/api/packages/68536?format=json","purl":"pkg:composer/shopware/core@6.5.7%2B4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.7%252B4"}],"aliases":["CVE-2024-22406","GHSA-qmp9-2xwj-m6m9"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v51t-h468-37ez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54332?format=json","vulnerability_id":"VCID-vajj-mrd3-kkfh","summary":"After order payment process manipulation in shopware/platform and shopware/core\n### Impact\n\nAfter order payment process manipulation\n\n### Patches\nWe recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\n\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021","references":[{"reference_url":"https://github.com/advisories/GHSA-88rc-3p98-rgvx","reference_id":"GHSA-88rc-3p98-rgvx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-88rc-3p98-rgvx"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-88rc-3p98-rgvx","reference_id":"GHSA-88rc-3p98-rgvx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-88rc-3p98-rgvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/300170?format=json","purl":"pkg:composer/shopware/core@6.3.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-7hse-bftv-dudy"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-d8zx-6gre-43bf"},{"vulnerability":"VCID-daqf-77y8-dya1"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-w85b-b7st-y3bq"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/80284?format=json","purl":"pkg:composer/shopware/core@6.3.5%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.5%252B3"}],"aliases":["GHSA-88rc-3p98-rgvx","GMS-2021-119","GMS-2021-124"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vajj-mrd3-kkfh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57096?format=json","vulnerability_id":"VCID-w2jq-5a2z-q3cr","summary":"Shopware Vulnerable to Blind SQL-injection in DAL aggregations\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” **in nested** object is vulnerable SQL-injection and can be exploited using SQL parameters.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892","reference_id":"","reference_type":"","scores":[{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79657","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79662","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79665","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79656","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79646","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892","reference_id":"CVE-2025-27892","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892"},{"reference_url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/","reference_id":"rt-sa-2025-001","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84782?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813729?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84780?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813731?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vk-35pw-p7bq"},{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84781?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-27892","GHSA-8g35-7rmw-7f59"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w2jq-5a2z-q3cr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54682?format=json","vulnerability_id":"VCID-w85b-b7st-y3bq","summary":"### Impact\nCanceling of orders not related to the logged-in user\n\n### Patches\nWe recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659","references":[{"reference_url":"https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659"},{"reference_url":"https://www.shopware.com/en/download/#shopware-6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.shopware.com/en/download/#shopware-6"},{"reference_url":"https://github.com/advisories/GHSA-wq3r-jwrq-xg6w","reference_id":"GHSA-wq3r-jwrq-xg6w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq3r-jwrq-xg6w"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-wq3r-jwrq-xg6w","reference_id":"GHSA-wq3r-jwrq-xg6w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-wq3r-jwrq-xg6w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/528123?format=json","purl":"pkg:composer/shopware/core@6.4.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81089?format=json","purl":"pkg:composer/shopware/core@6.4.1%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.1%252B1"}],"aliases":["GHSA-wq3r-jwrq-xg6w","GMS-2021-122","GMS-2021-129"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w85b-b7st-y3bq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53904?format=json","vulnerability_id":"VCID-wqzh-j9n5-eqbn","summary":"### Impact\n\nInformation exposure via query strings in URL\n\n### Patches\nWe recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020\n\n### Credits\nWe would like to thank <a rel=\"noopener\" href=\"https://www.vater-it.de/\">Oliver Herrmann</a> for reporting this issue.","references":[{"reference_url":"https://github.com/advisories/GHSA-cq6h-w3mc-57f4","reference_id":"GHSA-cq6h-w3mc-57f4","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cq6h-w3mc-57f4"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-cq6h-w3mc-57f4","reference_id":"GHSA-cq6h-w3mc-57f4","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-cq6h-w3mc-57f4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/282456?format=json","purl":"pkg:composer/shopware/core@6.3.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-1nfq-1dnh-x3hj"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-7hse-bftv-dudy"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-d8zx-6gre-43bf"},{"vulnerability":"VCID-daqf-77y8-dya1"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-vajj-mrd3-kkfh"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-w85b-b7st-y3bq"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-x5r9-wrf3-myc5"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/79397?format=json","purl":"pkg:composer/shopware/core@6.3.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.4%252B1"}],"aliases":["GHSA-cq6h-w3mc-57f4","GMS-2020-588","GMS-2020-595"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wqzh-j9n5-eqbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42939?format=json","vulnerability_id":"VCID-wus7-qmwk-3ygs","summary":"Server-Side Request Forgery (SSRF) in Shopware\nShopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24871","reference_id":"","reference_type":"","scores":[{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57587","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57644","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57626","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57639","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.57648","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00348","scoring_system":"epss","scoring_elements":"0.5764","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24871"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/commit/083765e2d64a00315050c4891800c9e98ba0c77c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24871","reference_id":"CVE-2022-24871","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24871"},{"reference_url":"https://github.com/advisories/GHSA-7gm7-8q8v-9gf2","reference_id":"GHSA-7gm7-8q8v-9gf2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gm7-8q8v-9gf2"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2","reference_id":"GHSA-7gm7-8q8v-9gf2","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-7gm7-8q8v-9gf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61426?format=json","purl":"pkg:composer/shopware/core@6.4.10%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.10%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/275036?format=json","purl":"pkg:composer/shopware/core@6.6.0.0-rc7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.0.0-rc7"}],"aliases":["CVE-2022-24871","GHSA-7gm7-8q8v-9gf2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wus7-qmwk-3ygs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54322?format=json","vulnerability_id":"VCID-x5r9-wrf3-myc5","summary":"Leak of information via Store-API aggregations in shopware/platform and shopware/core\n### Impact\n\nLeak of information via Store-API\n\n### Patches\nWe recommend to update to the current version 6.3.5.3. You can get the update to 6.3.5.3 regularly via the Auto-Updater or directly via the download overview.\n\nhttps://www.shopware.com/en/download/#shopware-6\n\n### Workarounds\nFor older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\nhttps://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659\n\n### For more information\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2021","references":[{"reference_url":"https://github.com/advisories/GHSA-qg7c-q3vq-rgxr","reference_id":"GHSA-qg7c-q3vq-rgxr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qg7c-q3vq-rgxr"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-qg7c-q3vq-rgxr","reference_id":"GHSA-qg7c-q3vq-rgxr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-qg7c-q3vq-rgxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/300170?format=json","purl":"pkg:composer/shopware/core@6.3.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-2bzu-jddv-q7gy"},{"vulnerability":"VCID-4fkz-vqwt-c3f4"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-6ag9-41qf-7kg1"},{"vulnerability":"VCID-7hse-bftv-dudy"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-a9x5-7d88-x3gy"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-brge-9sbd-r3b6"},{"vulnerability":"VCID-bzfr-72q4-vfbh"},{"vulnerability":"VCID-d8zx-6gre-43bf"},{"vulnerability":"VCID-daqf-77y8-dya1"},{"vulnerability":"VCID-ef55-3mp4-7khx"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-fwh2-p73c-wkg5"},{"vulnerability":"VCID-gqq9-fu97-yycr"},{"vulnerability":"VCID-guds-2g3f-kqdu"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-hyjy-jt8a-xqfu"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mjqw-k8vw-a3f5"},{"vulnerability":"VCID-mnvh-4mq4-hkeh"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-pzgj-ayv2-aygj"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-qqvx-y8cd-2yhv"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-t2hg-m8tr-7fgf"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-w85b-b7st-y3bq"},{"vulnerability":"VCID-wus7-qmwk-3ygs"},{"vulnerability":"VCID-y48k-b7wt-6khu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.5.3"},{"url":"http://public2.vulnerablecode.io/api/packages/80284?format=json","purl":"pkg:composer/shopware/core@6.3.5%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.5%252B3"}],"aliases":["GHSA-qg7c-q3vq-rgxr","GMS-2021-120","GMS-2021-127"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x5r9-wrf3-myc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44216?format=json","vulnerability_id":"VCID-y48k-b7wt-6khu","summary":"Improper Control of Generation of Code ('Code Injection')\nShopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22731","reference_id":"","reference_type":"","scores":[{"value":"0.02406","scoring_system":"epss","scoring_elements":"0.85364","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02406","scoring_system":"epss","scoring_elements":"0.85386","published_at":"2026-06-09T12:55:00Z"},{"value":"0.02406","scoring_system":"epss","scoring_elements":"0.85373","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02406","scoring_system":"epss","scoring_elements":"0.85387","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02406","scoring_system":"epss","scoring_elements":"0.85392","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22731"},{"reference_url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/"}],"url":"https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates"},{"reference_url":"https://github.com/shopware/platform","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/platform"},{"reference_url":"https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/"}],"url":"https://github.com/shopware/platform/commit/89d1ea154689cb6202e0d3a0ceeae0febb0c09e1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22731","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22731"},{"reference_url":"https://github.com/advisories/GHSA-93cw-f5jj-x85w","reference_id":"GHSA-93cw-f5jj-x85w","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-93cw-f5jj-x85w"},{"reference_url":"https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w","reference_id":"GHSA-93cw-f5jj-x85w","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-03-10T20:58:32Z/"}],"url":"https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/631852?format=json","purl":"pkg:composer/shopware/core@6.4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-14t2-9jjh-uyhb"},{"vulnerability":"VCID-4m2y-d8vg-b7fj"},{"vulnerability":"VCID-5f2j-cjfz-13a6"},{"vulnerability":"VCID-8a7v-6u8f-1bgw"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-a22b-gnbv-skec"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-fkbu-cs9b-5kdq"},{"vulnerability":"VCID-hq7q-hbbd-7yea"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-p1jm-k5y2-h3bp"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-rxhq-fukk-93ek"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-v51t-h468-37ez"},{"vulnerability":"VCID-w2jq-5a2z-q3cr"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"},{"vulnerability":"VCID-zrbg-5afh-9ybc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63582?format=json","purl":"pkg:composer/shopware/core@6.4.18%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.18%252B1"}],"aliases":["CVE-2023-22731","GHSA-93cw-f5jj-x85w"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y48k-b7wt-6khu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48093?format=json","vulnerability_id":"VCID-zpm7-dc1q-7qf9","summary":"Shopware vulnerable to path traversal via Plugin upload\nA path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/892807?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k46b-gxuz-vyb7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/71037?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892810?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71036?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"}],"aliases":["GHSA-6wh5-mw9h-5c3w"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zpm7-dc1q-7qf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57101?format=json","vulnerability_id":"VCID-zrbg-5afh-9ybc","summary":"Shopware allows Denial Of Service via password length\nIt's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151","reference_id":"","reference_type":"","scores":[{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74337","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74355","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74368","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74363","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151","reference_id":"CVE-2025-30151","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151"},{"reference_url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84783?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkbu-cs9b-5kdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/728536?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813729?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84780?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813731?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vk-35pw-p7bq"},{"vulnerability":"VCID-7v27-95mx-6ud8"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-k46b-gxuz-vyb7"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84781?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-30151","GHSA-cgfj-hj93-rmh2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zrbg-5afh-9ybc"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.3.2.0"}