{"url":"http://public2.vulnerablecode.io/api/packages/734393?format=json","purl":"pkg:composer/shopware/core@6.5.8.10","type":"composer","namespace":"shopware","name":"core","version":"6.5.8.10","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.6.10.15","latest_non_vulnerable_version":"6.7.8.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212311?format=json","vulnerability_id":"VCID-43zt-wnjy-rudk","summary":"Shopware vulnerable to path traversal via Plugin upload","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-6wh5-mw9h-5c3w"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-43zt-wnjy-rudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212314?format=json","vulnerability_id":"VCID-5b7t-vavj-efae","summary":"Shopware Customer Orders can be canceled, even if refunds are disabled","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592"},{"reference_url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-r2vg-hvjm-fg38"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5b7t-vavj-efae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71295?format=json","vulnerability_id":"VCID-637f-zxjb-8ufn","summary":"Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17474","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17628","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17654","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17636","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888","reference_id":"CVE-2026-31888","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888"},{"reference_url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40705?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/962818?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/40703?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/962823?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31888","GHSA-gqc5-xv7m-gcjq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-637f-zxjb-8ufn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360508?format=json","vulnerability_id":"VCID-6tys-6s4d-fqcm","summary":"Shopware Broken ACL on Document retrieval to access other customers documents\n### Impact\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q"},{"reference_url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"GHSA-68wv-g3fw-pq7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376414?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-stdp-p5h7-3kg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["GHSA-68wv-g3fw-pq7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6tys-6s4d-fqcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212350?format=json","vulnerability_id":"VCID-a8xu-y9nr-9uag","summary":"Shopware 6's password recovery link does not expire after email change","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13"},{"reference_url":"https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.9","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.9"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.4.1","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.4.1"},{"reference_url":"https://github.com/advisories/GHSA-2w46-vq8h-98vh","reference_id":"GHSA-2w46-vq8h-98vh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2w46-vq8h-98vh"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh","reference_id":"GHSA-2w46-vq8h-98vh","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35232?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B9"},{"url":"http://public2.vulnerablecode.io/api/packages/879127?format=json","purl":"pkg:composer/shopware/core@6.6.10.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.9"},{"url":"http://public2.vulnerablecode.io/api/packages/35236?format=json","purl":"pkg:composer/shopware/core@6.7.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/879129?format=json","purl":"pkg:composer/shopware/core@6.7.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1"}],"aliases":["GHSA-2w46-vq8h-98vh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a8xu-y9nr-9uag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71464?format=json","vulnerability_id":"VCID-dqba-4hk6-eud2","summary":"Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26177","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26375","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.2639","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26378","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889","reference_id":"CVE-2026-31889","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889"},{"reference_url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40705?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/962818?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/40703?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/962823?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31889","GHSA-c4p7-rwrg-pf6p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dqba-4hk6-eud2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41243?format=json","vulnerability_id":"VCID-h4gh-jepq-2ue8","summary":"Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the `aggregations` object. The `name` field in this `aggregations` object is vulnerable SQL-injection and can be exploited using SQL parameters. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42357","reference_id":"","reference_type":"","scores":[{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74858","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74868","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74872","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74787","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42357"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b","reference_id":"57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b"},{"reference_url":"https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9","reference_id":"63c05615694790f5790a04ef889f42b764fa53c9","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42357","reference_id":"CVE-2024-42357","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42357"},{"reference_url":"https://github.com/advisories/GHSA-p6w9-r443-r752","reference_id":"GHSA-p6w9-r443-r752","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6w9-r443-r752"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752","reference_id":"GHSA-p6w9-r443-r752","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32942?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/734405?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-6tys-6s4d-fqcm"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-sq4j-drbr-fub6"},{"vulnerability":"VCID-stdp-p5h7-3kg3"},{"vulnerability":"VCID-u41w-g79s-eyez"},{"vulnerability":"VCID-ykq7-2fy3-b7e1"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32950?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42357","GHSA-p6w9-r443-r752"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h4gh-jepq-2ue8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212313?format=json","vulnerability_id":"VCID-nhdh-f91b-kuex","summary":"Shopware exposes sensitive user information via CSV export mapping","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083"},{"reference_url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-27c9-vp3w-6ww8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhdh-f91b-kuex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212312?format=json","vulnerability_id":"VCID-nzcj-wu6c-pfgw","summary":"Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4"},{"reference_url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-3cpp-fv95-mpr5"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcj-wu6c-pfgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41060?format=json","vulnerability_id":"VCID-parp-avvf-v3bu","summary":"Shopware, an open ecommerce platform, has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag. Prior to versions 6.6.5.1 and 6.5.8.13, it accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3,  and 6.4, corresponding security measures are also available via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42355","reference_id":"","reference_type":"","scores":[{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.78052","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.78058","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.78045","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77977","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42355"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da","reference_id":"445c6763cc093fbd651e0efaa4150deae4ae60da","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355","reference_id":"CVE-2024-42355","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355"},{"reference_url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_id":"d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"reference_url":"https://github.com/advisories/GHSA-27wp-jvhw-v4xp","reference_id":"GHSA-27wp-jvhw-v4xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27wp-jvhw-v4xp"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp","reference_id":"GHSA-27wp-jvhw-v4xp","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32942?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/734405?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-6tys-6s4d-fqcm"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-sq4j-drbr-fub6"},{"vulnerability":"VCID-stdp-p5h7-3kg3"},{"vulnerability":"VCID-u41w-g79s-eyez"},{"vulnerability":"VCID-ykq7-2fy3-b7e1"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32950?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42355","GHSA-27wp-jvhw-v4xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-parp-avvf-v3bu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41262?format=json","vulnerability_id":"VCID-qhgp-qxed-7qbc","summary":"Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42356","reference_id":"","reference_type":"","scores":[{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62937","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.63047","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.6305","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.63038","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42356"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038","reference_id":"04183e0c02af3b404eb7d52c683734bfe0595038","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42356","reference_id":"CVE-2024-42356","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42356"},{"reference_url":"https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e","reference_id":"e43423bcc93c618c3036f94c12aa29514da8cf2e","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e"},{"reference_url":"https://github.com/advisories/GHSA-35jp-8cgg-p4wj","reference_id":"GHSA-35jp-8cgg-p4wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-35jp-8cgg-p4wj"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj","reference_id":"GHSA-35jp-8cgg-p4wj","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32942?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/734405?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-6tys-6s4d-fqcm"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-sq4j-drbr-fub6"},{"vulnerability":"VCID-stdp-p5h7-3kg3"},{"vulnerability":"VCID-u41w-g79s-eyez"},{"vulnerability":"VCID-ykq7-2fy3-b7e1"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32950?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42356","GHSA-35jp-8cgg-p4wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qhgp-qxed-7qbc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41018?format=json","vulnerability_id":"VCID-rfa4-81mz-qqd9","summary":"Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3,  and 6.4, corresponding security measures are also available via a plugin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42354","reference_id":"","reference_type":"","scores":[{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62735","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.6273","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62723","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62622","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42354"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01","reference_id":"ad83d38809df457efef21c37ce0996430334bf01","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42354","reference_id":"CVE-2024-42354","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42354"},{"reference_url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_id":"d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"reference_url":"https://github.com/advisories/GHSA-hhcq-ph6w-494g","reference_id":"GHSA-hhcq-ph6w-494g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhcq-ph6w-494g"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g","reference_id":"GHSA-hhcq-ph6w-494g","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32942?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/734405?format=json","purl":"pkg:composer/shopware/core@6.6.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-6tys-6s4d-fqcm"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-sq4j-drbr-fub6"},{"vulnerability":"VCID-stdp-p5h7-3kg3"},{"vulnerability":"VCID-u41w-g79s-eyez"},{"vulnerability":"VCID-ykq7-2fy3-b7e1"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32950?format=json","purl":"pkg:composer/shopware/core@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.5%252B1"}],"aliases":["CVE-2024-42354","GHSA-hhcq-ph6w-494g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rfa4-81mz-qqd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212310?format=json","vulnerability_id":"VCID-sjfg-863y-c3fp","summary":"Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-m895-2hj3-8cg9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sjfg-863y-c3fp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89802?format=json","vulnerability_id":"VCID-sq4j-drbr-fub6","summary":"Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151","reference_id":"","reference_type":"","scores":[{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74498","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74495","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74411","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74484","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151"},{"reference_url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376414?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-stdp-p5h7-3kg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-30151","GHSA-cgfj-hj93-rmh2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sq4j-drbr-fub6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90154?format=json","vulnerability_id":"VCID-stdp-p5h7-3kg3","summary":"Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150","reference_id":"","reference_type":"","scores":[{"value":"0.00619","scoring_system":"epss","scoring_elements":"0.70601","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00619","scoring_system":"epss","scoring_elements":"0.70604","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74708","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74636","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150"},{"reference_url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376236?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-30150","GHSA-hh7j-6x3q-f52h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-stdp-p5h7-3kg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117184?format=json","vulnerability_id":"VCID-u41w-g79s-eyez","summary":"Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892","reference_id":"","reference_type":"","scores":[{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79772","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79784","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.7979","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79707","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001"},{"reference_url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/","reference_id":"rt-sa-2025-001","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376236?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B18"},{"url":"http://public2.vulnerablecode.io/api/packages/706583?format=json","purl":"pkg:composer/shopware/core@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-s7y9-5z3z-syec"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-27892","GHSA-8g35-7rmw-7f59"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u41w-g79s-eyez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114442?format=json","vulnerability_id":"VCID-ykq7-2fy3-b7e1","summary":"Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63782","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63668","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6377","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63783","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378"},{"reference_url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376414?format=json","purl":"pkg:composer/shopware/core@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-stdp-p5h7-3kg3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/793116?format=json","purl":"pkg:composer/shopware/core@6.5.8.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.17"},{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-32378","GHSA-4h9w-7vfp-px8m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ykq7-2fy3-b7e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71472?format=json","vulnerability_id":"VCID-zhxv-e8fu-tucd","summary":"Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16072","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1605","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15931","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16084","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887","reference_id":"CVE-2026-31887","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887"},{"reference_url":"https://github.com/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vvp-j573-5584"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40705?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/962818?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/40703?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/962823?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31887","GHSA-7vvp-j573-5584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zhxv-e8fu-tucd"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.5.8.10"}