{"url":"http://public2.vulnerablecode.io/api/packages/756278?format=json","purl":"pkg:composer/shopware/platform@6.5.8.10","type":"composer","namespace":"shopware","name":"platform","version":"6.5.8.10","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.6.10.15","latest_non_vulnerable_version":"6.7.8.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55653?format=json","vulnerability_id":"VCID-14t2-9jjh-uyhb","summary":"Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api\nThe store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON.\n\nThe processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used.\n\nThis issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42354","reference_id":"","reference_type":"","scores":[{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62558","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62557","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62543","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62567","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00424","scoring_system":"epss","scoring_elements":"0.62559","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42354"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42354","reference_id":"CVE-2024-42354","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42354"},{"reference_url":"https://github.com/advisories/GHSA-hhcq-ph6w-494g","reference_id":"GHSA-hhcq-ph6w-494g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhcq-ph6w-494g"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g","reference_id":"GHSA-hhcq-ph6w-494g","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T15:24:16Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82370?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/82371?format=json","purl":"pkg:composer/shopware/platform@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1"}],"aliases":["CVE-2024-42354","GHSA-hhcq-ph6w-494g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-14t2-9jjh-uyhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57104?format=json","vulnerability_id":"VCID-5f2j-cjfz-13a6","summary":"Shopware Broken ACL on Document retrieval to access other customers documents\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"GHSA-68wv-g3fw-pq7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"GHSA-68wv-g3fw-pq7q","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84777?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkbu-cs9b-5kdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813448?format=json","purl":"pkg:composer/shopware/platform@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84766?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813450?format=json","purl":"pkg:composer/shopware/platform@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84765?format=json","purl":"pkg:composer/shopware/platform@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2"}],"aliases":["GHSA-68wv-g3fw-pq7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5f2j-cjfz-13a6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55658?format=json","vulnerability_id":"VCID-8a7v-6u8f-1bgw","summary":"Shopware vulnerable to Server Side Template Injection in Twig using Context functions\nThe `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function.\n\nExample call from PHP:\n\n```php\n$context->scope(Context::SYSTEM_SCOPE, static function (Context $context) use ($mediaService, $media, &$fileBlob): void {\n$fileBlob = $mediaService->loadFile($media->getId(), $context);\n});\n```\n\nThis function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method.\n\nIt's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42356","reference_id":"","reference_type":"","scores":[{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62857","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62872","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62882","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00429","scoring_system":"epss","scoring_elements":"0.62873","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42356"},{"reference_url":"https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/core/commit/04183e0c02af3b404eb7d52c683734bfe0595038"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/commit/e43423bcc93c618c3036f94c12aa29514da8cf2e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42356","reference_id":"CVE-2024-42356","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42356"},{"reference_url":"https://github.com/advisories/GHSA-35jp-8cgg-p4wj","reference_id":"GHSA-35jp-8cgg-p4wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-35jp-8cgg-p4wj"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj","reference_id":"GHSA-35jp-8cgg-p4wj","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-09T15:51:49Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-35jp-8cgg-p4wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82370?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/82371?format=json","purl":"pkg:composer/shopware/platform@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1"}],"aliases":["CVE-2024-42356","GHSA-35jp-8cgg-p4wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8a7v-6u8f-1bgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48092?format=json","vulnerability_id":"VCID-9ksd-2p9q-bkbx","summary":"Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice\nServer-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the\norganization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4"},{"reference_url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71041?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892829?format=json","purl":"pkg:composer/shopware/platform@6.6.10.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/892842?format=json","purl":"pkg:composer/shopware/platform@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71040?format=json","purl":"pkg:composer/shopware/platform@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1"}],"aliases":["GHSA-3cpp-fv95-mpr5"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ksd-2p9q-bkbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50873?format=json","vulnerability_id":"VCID-avzz-tczy-y7d3","summary":"Shopware vulnerable to a potential take over of app credentials\nWe identified and fixed a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop.\nWe have no evidence that this vulnerability has been exploited.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26188","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26138","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26132","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26234","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26241","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889","reference_id":"CVE-2026-31889","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889"},{"reference_url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74787?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/980949?format=json","purl":"pkg:composer/shopware/platform@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/74786?format=json","purl":"pkg:composer/shopware/platform@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/980961?format=json","purl":"pkg:composer/shopware/platform@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8.1"}],"aliases":["CVE-2026-31889","GHSA-c4p7-rwrg-pf6p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-avzz-tczy-y7d3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57105?format=json","vulnerability_id":"VCID-fkbu-cs9b-5kdq","summary":"Shopware 6 allows attackers to check for registered accounts through the store-api\nThrough the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.\n\nUsing the store-api endpoint `/store-api/account/recovery-password` you get the response\n```\n{\"errors\":[{\"status\":\"404\",\"code\":\"CHECKOUT__CUSTOMER_NOT_FOUND\",\"title\":\"Not Found\",\"detail\":\"No matching customer for the email \\u0022asdasfd@asdads.de\\u0022 was found.\",\"meta\":{\"parameters\":{\"email\":\"asdasfd@asdads.de\"}}}]}\n```\n\nwhich indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150","reference_id":"","reference_type":"","scores":[{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74586","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74563","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74581","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74592","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74589","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150","reference_id":"CVE-2025-30150","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150"},{"reference_url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84767?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B18"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813448?format=json","purl":"pkg:composer/shopware/platform@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84766?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813450?format=json","purl":"pkg:composer/shopware/platform@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84765?format=json","purl":"pkg:composer/shopware/platform@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-30150","GHSA-hh7j-6x3q-f52h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fkbu-cs9b-5kdq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55657?format=json","vulnerability_id":"VCID-hq7q-hbbd-7yea","summary":"Shopware vulnerable to blind SQL-injection in DAL aggregations\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42357","reference_id":"","reference_type":"","scores":[{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74739","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74742","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74716","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74732","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00817","scoring_system":"epss","scoring_elements":"0.74744","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42357"},{"reference_url":"https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42357","reference_id":"CVE-2024-42357","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42357"},{"reference_url":"https://github.com/advisories/GHSA-p6w9-r443-r752","reference_id":"GHSA-p6w9-r443-r752","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p6w9-r443-r752"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752","reference_id":"GHSA-p6w9-r443-r752","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:17:05Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82370?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/82371?format=json","purl":"pkg:composer/shopware/platform@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1"}],"aliases":["CVE-2024-42357","GHSA-p6w9-r443-r752"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hq7q-hbbd-7yea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48095?format=json","vulnerability_id":"VCID-hydh-s4nh-2bct","summary":"Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually\nIn Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be constructed to bypass these checks and enumerate private media records such as invoices or other restricted documents. A low‑privilege backend user (e.g., product editor) can chain normal business flows (creating or viewing orders) with aggregation queries to disclose sensitive customer data including addresses and payment-related information contained within associated private media. The issue is resolved in 6.6.10.7 and 6.7.3.1.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71041?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892829?format=json","purl":"pkg:composer/shopware/platform@6.6.10.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/892842?format=json","purl":"pkg:composer/shopware/platform@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71040?format=json","purl":"pkg:composer/shopware/platform@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1"}],"aliases":["GHSA-m895-2hj3-8cg9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hydh-s4nh-2bct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48094?format=json","vulnerability_id":"VCID-mtmv-v5sx-eqg7","summary":"Shopware Customer Orders can be canceled, even if refunds are disabled\nRefunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route (and also not in the controller):\n https://github.com/shopware/shopware/blob/trunk/src/Storefront/Controller/AccountOrderController.php#L98 \n https://github.com/shopware/shopware/blob/trunk/src/Core/Checkout/Order/SalesChannel/CancelOrderRoute.php \n\nTo mitigate this, a check should be added to the `CancelOrderRoute` which verifies that the feature is enabled.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592"},{"reference_url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71041?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892829?format=json","purl":"pkg:composer/shopware/platform@6.6.10.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/892842?format=json","purl":"pkg:composer/shopware/platform@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71040?format=json","purl":"pkg:composer/shopware/platform@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1"}],"aliases":["GHSA-r2vg-hvjm-fg38"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mtmv-v5sx-eqg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57117?format=json","vulnerability_id":"VCID-p1jm-k5y2-h3bp","summary":"Shopware default newsletter opt-in settings allow for mass sign-up abuse\nCurrently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation.\n\nDefault settings are:\n\nNewsletter: Double Opt-in - active\n\nNewsletter: Double opt-in for registered customers - disabled\n\nLog-in & sign-up: Double opt-in on sign-up - disabled\n\nWith these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63598","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63604","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63584","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63596","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63605","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378","reference_id":"CVE-2025-32378","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378"},{"reference_url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/814034?format=json","purl":"pkg:composer/shopware/platform@6.5.8.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.17"},{"url":"http://public2.vulnerablecode.io/api/packages/84777?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkbu-cs9b-5kdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/813448?format=json","purl":"pkg:composer/shopware/platform@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84766?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813450?format=json","purl":"pkg:composer/shopware/platform@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84765?format=json","purl":"pkg:composer/shopware/platform@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-32378","GHSA-4h9w-7vfp-px8m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p1jm-k5y2-h3bp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48090?format=json","vulnerability_id":"VCID-q5p6-3znn-s3ab","summary":"Shopware exposes sensitive user information via CSV export mapping\nSensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:\n• Data regarding other users, such as usernames and/or e-mail addresses\n• Sensitive commercial data such as customer names\n• Technical details about the website and/or the underlying infrastructure\nDisclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083"},{"reference_url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71041?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892829?format=json","purl":"pkg:composer/shopware/platform@6.6.10.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/892842?format=json","purl":"pkg:composer/shopware/platform@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71040?format=json","purl":"pkg:composer/shopware/platform@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1"}],"aliases":["GHSA-27c9-vp3w-6ww8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q5p6-3znn-s3ab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55654?format=json","vulnerability_id":"VCID-rxhq-fukk-93ek","summary":"Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag\nShopware has a new Twig Tag `sw_silent_feature_call` which silences deprecation messages while triggered in this tag.\nIt accepts as parameter a string the feature flag name to silence, but this parameter is not escaped properly and allows execution of code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42355","reference_id":"","reference_type":"","scores":[{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77937","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77918","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77929","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77938","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01052","scoring_system":"epss","scoring_elements":"0.77932","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42355"},{"reference_url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f"},{"reference_url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/commit/445c6763cc093fbd651e0efaa4150deae4ae60da"},{"reference_url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355","reference_id":"CVE-2024-42355","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42355"},{"reference_url":"https://github.com/advisories/GHSA-27wp-jvhw-v4xp","reference_id":"GHSA-27wp-jvhw-v4xp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27wp-jvhw-v4xp"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp","reference_id":"GHSA-27wp-jvhw-v4xp","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-08T15:26:25Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27wp-jvhw-v4xp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82370?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B13"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/82371?format=json","purl":"pkg:composer/shopware/platform@6.6.5%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.5%252B1"}],"aliases":["CVE-2024-42355","GHSA-27wp-jvhw-v4xp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rxhq-fukk-93ek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50860?format=json","vulnerability_id":"VCID-sufc-w77t-pufy","summary":"Shopware: Unauthenticated data extraction possible through store-api.order endpoint\nAn insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the `deepLinkCode` support on the `store-api.order` endpoint.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15906","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15841","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1582","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15948","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15958","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887","reference_id":"CVE-2026-31887","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887"},{"reference_url":"https://github.com/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vvp-j573-5584"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74787?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/980949?format=json","purl":"pkg:composer/shopware/platform@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/74786?format=json","purl":"pkg:composer/shopware/platform@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/980961?format=json","purl":"pkg:composer/shopware/platform@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8.1"}],"aliases":["CVE-2026-31887","GHSA-7vvp-j573-5584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sufc-w77t-pufy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50862?format=json","vulnerability_id":"VCID-tahr-n29c-v3fw","summary":"Shopware has user enumeration via distinct error codes on Store API login endpoint\nThe Store API login endpoint (`POST /store-api/account/login`) returns different error codes depending on whether the submitted email address belongs to a registered customer (`CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS`) or is unknown (`CHECKOUT__CUSTOMER_NOT_FOUND`). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17454","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17391","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17374","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.1749","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17495","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888","reference_id":"CVE-2026-31888","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888"},{"reference_url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/980948?format=json","purl":"pkg:composer/shopware/platform@6.6.10.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.14"},{"url":"http://public2.vulnerablecode.io/api/packages/74800?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B14"},{"url":"http://public2.vulnerablecode.io/api/packages/74786?format=json","purl":"pkg:composer/shopware/platform@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/980961?format=json","purl":"pkg:composer/shopware/platform@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.8.1"}],"aliases":["CVE-2026-31888","GHSA-gqc5-xv7m-gcjq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tahr-n29c-v3fw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57096?format=json","vulnerability_id":"VCID-w2jq-5a2z-q3cr","summary":"Shopware Vulnerable to Blind SQL-injection in DAL aggregations\nThe Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”\nobject. The ‘name’ field in this “aggregations” **in nested** object is vulnerable SQL-injection and can be exploited using SQL parameters.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892","reference_id":"","reference_type":"","scores":[{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79657","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79662","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79665","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79656","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79646","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892","reference_id":"CVE-2025-27892","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892"},{"reference_url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/","reference_id":"rt-sa-2025-001","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84767?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B18"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813448?format=json","purl":"pkg:composer/shopware/platform@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84766?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813450?format=json","purl":"pkg:composer/shopware/platform@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84765?format=json","purl":"pkg:composer/shopware/platform@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-27892","GHSA-8g35-7rmw-7f59"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w2jq-5a2z-q3cr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57790?format=json","vulnerability_id":"VCID-x961-c63r-uydu","summary":"Shopware race condition bypasses voucher restrictions\nA race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7954","reference_id":"","reference_type":"","scores":[{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48768","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48736","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.4872","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.4875","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.4876","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7954"},{"reference_url":"http://seclists.org/fulldisclosure/2025/Aug/17","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2025/Aug/17"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/issues/11245","reference_id":"","reference_type":"","scores":[{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-07T14:38:04Z/"}],"url":"https://github.com/shopware/shopware/issues/11245"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7954","reference_id":"CVE-2025-7954","reference_type":"","scores":[{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7954"},{"reference_url":"https://github.com/advisories/GHSA-27gv-mg7w-mm34","reference_id":"GHSA-27gv-mg7w-mm34","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27gv-mg7w-mm34"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/839478?format=json","purl":"pkg:composer/shopware/platform@6.6.10.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.5"}],"aliases":["CVE-2025-7954","GHSA-27gv-mg7w-mm34"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x961-c63r-uydu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48093?format=json","vulnerability_id":"VCID-zpm7-dc1q-7qf9","summary":"Shopware vulnerable to path traversal via Plugin upload\nA path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71041?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/892829?format=json","purl":"pkg:composer/shopware/platform@6.6.10.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/892842?format=json","purl":"pkg:composer/shopware/platform@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3.1"},{"url":"http://public2.vulnerablecode.io/api/packages/71040?format=json","purl":"pkg:composer/shopware/platform@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.3%252B1"}],"aliases":["GHSA-6wh5-mw9h-5c3w"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zpm7-dc1q-7qf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57101?format=json","vulnerability_id":"VCID-zrbg-5afh-9ybc","summary":"Shopware allows Denial Of Service via password length\nIt's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151","reference_id":"","reference_type":"","scores":[{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74337","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74355","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74368","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74363","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151","reference_id":"CVE-2025-30151","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151"},{"reference_url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84777?format=json","purl":"pkg:composer/shopware/platform@6.5.8%2B17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkbu-cs9b-5kdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8%252B17"},{"url":"http://public2.vulnerablecode.io/api/packages/724537?format=json","purl":"pkg:composer/shopware/platform@6.5.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1y27-nc7s-w7ar"},{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-yyvf-p4b3-gubw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/813448?format=json","purl":"pkg:composer/shopware/platform@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-x961-c63r-uydu"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84766?format=json","purl":"pkg:composer/shopware/platform@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/813450?format=json","purl":"pkg:composer/shopware/platform@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ksd-2p9q-bkbx"},{"vulnerability":"VCID-avzz-tczy-y7d3"},{"vulnerability":"VCID-hydh-s4nh-2bct"},{"vulnerability":"VCID-mtmv-v5sx-eqg7"},{"vulnerability":"VCID-q5p6-3znn-s3ab"},{"vulnerability":"VCID-sufc-w77t-pufy"},{"vulnerability":"VCID-tahr-n29c-v3fw"},{"vulnerability":"VCID-zpm7-dc1q-7qf9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0.0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/84765?format=json","purl":"pkg:composer/shopware/platform@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.7.0%252B0-rc2"}],"aliases":["CVE-2025-30151","GHSA-cgfj-hj93-rmh2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zrbg-5afh-9ybc"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/platform@6.5.8.10"}