{"url":"http://public2.vulnerablecode.io/api/packages/792811?format=json","purl":"pkg:composer/shopware/core@6.6.8.2","type":"composer","namespace":"shopware","name":"core","version":"6.6.8.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.6.10.15","latest_non_vulnerable_version":"6.7.8.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212311?format=json","vulnerability_id":"VCID-43zt-wnjy-rudk","summary":"Shopware vulnerable to path traversal via Plugin upload","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6wh5-mw9h-5c3w"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w","reference_id":"GHSA-6wh5-mw9h-5c3w","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-6wh5-mw9h-5c3w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-6wh5-mw9h-5c3w"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-43zt-wnjy-rudk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212314?format=json","vulnerability_id":"VCID-5b7t-vavj-efae","summary":"Shopware Customer Orders can be canceled, even if refunds are disabled","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/b157508aef2c820e7ff89ebd5848d3019f22b592"},{"reference_url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2vg-hvjm-fg38"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38","reference_id":"GHSA-r2vg-hvjm-fg38","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-r2vg-hvjm-fg38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-r2vg-hvjm-fg38"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5b7t-vavj-efae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71295?format=json","vulnerability_id":"VCID-637f-zxjb-8ufn","summary":"Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The \"not found\" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17474","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17628","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17654","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17636","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31888"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888","reference_id":"CVE-2026-31888","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31888"},{"reference_url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gqc5-xv7m-gcjq"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq","reference_id":"GHSA-gqc5-xv7m-gcjq","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:39Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40705?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/962818?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/40703?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/962823?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31888","GHSA-gqc5-xv7m-gcjq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-637f-zxjb-8ufn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360508?format=json","vulnerability_id":"VCID-6tys-6s4d-fqcm","summary":"Shopware Broken ACL on Document retrieval to access other customers documents\n### Impact\nIt's possible to guess the deepLinkCode of an Document to open documents of other customers\n\n### Patches\nUpdate to Shopware 6.6.10.3 or 6.5.8.17\n\n### Workarounds\nFor older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q"},{"reference_url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q","reference_id":"GHSA-68wv-g3fw-pq7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68wv-g3fw-pq7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["GHSA-68wv-g3fw-pq7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6tys-6s4d-fqcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212350?format=json","vulnerability_id":"VCID-a8xu-y9nr-9uag","summary":"Shopware 6's password recovery link does not expire after email change","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/1338dd9a11e361639704bf8f09b6878552eb8c13"},{"reference_url":"https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/2fb94855696a90045b81c503d216ba7df8e64e52"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.9","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.9"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.4.1","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.4.1"},{"reference_url":"https://github.com/advisories/GHSA-2w46-vq8h-98vh","reference_id":"GHSA-2w46-vq8h-98vh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2w46-vq8h-98vh"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh","reference_id":"GHSA-2w46-vq8h-98vh","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35232?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B9"},{"url":"http://public2.vulnerablecode.io/api/packages/879127?format=json","purl":"pkg:composer/shopware/core@6.6.10.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.9"},{"url":"http://public2.vulnerablecode.io/api/packages/35236?format=json","purl":"pkg:composer/shopware/core@6.7.4%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/879129?format=json","purl":"pkg:composer/shopware/core@6.7.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.4.1"}],"aliases":["GHSA-2w46-vq8h-98vh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a8xu-y9nr-9uag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71464?format=json","vulnerability_id":"VCID-dqba-4hk6-eud2","summary":"Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based authentication without sufficiently binding a shop installation to its original domain. During re‑registration, the shop-url could be updated without proving control over the previously registered shop or domain. This made targeted hijacking of app communication feasible if an attacker possessed the relevant app‑side secret. By abusing app re‑registration, an attacker could redirect app traffic to an attacker‑controlled domain and potentially obtain API credentials intended for the legitimate shop. This vulnerability is fixed in 6.6.10.15 and 6.7.8.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889","reference_id":"","reference_type":"","scores":[{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26177","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26375","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.2639","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00094","scoring_system":"epss","scoring_elements":"0.26378","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31889"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889","reference_id":"CVE-2026-31889","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31889"},{"reference_url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4p7-rwrg-pf6p"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p","reference_id":"GHSA-c4p7-rwrg-pf6p","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-12T20:04:03Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40705?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/962818?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/40703?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/962823?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31889","GHSA-c4p7-rwrg-pf6p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dqba-4hk6-eud2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212313?format=json","vulnerability_id":"VCID-nhdh-f91b-kuex","summary":"Shopware exposes sensitive user information via CSV export mapping","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/c2c98050aff7b90fe7232f6dac9b6b7143183083"},{"reference_url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27c9-vp3w-6ww8"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8","reference_id":"GHSA-27c9-vp3w-6ww8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-27c9-vp3w-6ww8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-27c9-vp3w-6ww8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhdh-f91b-kuex"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212312?format=json","vulnerability_id":"VCID-nzcj-wu6c-pfgw","summary":"Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/f32737b34798d4800b81c67efee17905380d2be4"},{"reference_url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cpp-fv95-mpr5"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5","reference_id":"GHSA-3cpp-fv95-mpr5","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-3cpp-fv95-mpr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-3cpp-fv95-mpr5"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nzcj-wu6c-pfgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212310?format=json","vulnerability_id":"VCID-sjfg-863y-c3fp","summary":"Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually","references":[{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/commit/0965b35a527756faab2cec5a4ff172d79b0f99be"},{"reference_url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m895-2hj3-8cg9"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9","reference_id":"GHSA-m895-2hj3-8cg9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-m895-2hj3-8cg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34676?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B7"},{"url":"http://public2.vulnerablecode.io/api/packages/873685?format=json","purl":"pkg:composer/shopware/core@6.6.10.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8xu-y9nr-9uag"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.7"},{"url":"http://public2.vulnerablecode.io/api/packages/34680?format=json","purl":"pkg:composer/shopware/core@6.7.3%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/873688?format=json","purl":"pkg:composer/shopware/core@6.7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.3.1"}],"aliases":["GHSA-m895-2hj3-8cg9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sjfg-863y-c3fp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89802?format=json","vulnerability_id":"VCID-sq4j-drbr-fub6","summary":"Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151","reference_id":"","reference_type":"","scores":[{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74498","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74495","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74411","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00796","scoring_system":"epss","scoring_elements":"0.74484","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30151"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151"},{"reference_url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgfj-hj93-rmh2"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2","reference_id":"GHSA-cgfj-hj93-rmh2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:47:17Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-30151","GHSA-cgfj-hj93-rmh2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sq4j-drbr-fub6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90154?format=json","vulnerability_id":"VCID-stdp-p5h7-3kg3","summary":"Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150","reference_id":"","reference_type":"","scores":[{"value":"0.00619","scoring_system":"epss","scoring_elements":"0.70601","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00619","scoring_system":"epss","scoring_elements":"0.70604","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74708","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00808","scoring_system":"epss","scoring_elements":"0.74636","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30150"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30150"},{"reference_url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hh7j-6x3q-f52h"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h","reference_id":"GHSA-hh7j-6x3q-f52h","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T18:45:06Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-30150","GHSA-hh7j-6x3q-f52h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-stdp-p5h7-3kg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/117184?format=json","vulnerability_id":"VCID-u41w-g79s-eyez","summary":"Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892","reference_id":"","reference_type":"","scores":[{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79772","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79784","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.7979","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01246","scoring_system":"epss","scoring_elements":"0.79707","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27892"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.5.8.17"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.6.10.3"},{"reference_url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27892"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001"},{"reference_url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59","reference_id":"GHSA-8g35-7rmw-7f59","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59"},{"reference_url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/","reference_id":"rt-sa-2025-001","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-16T14:51:41Z/"}],"url":"https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-27892","GHSA-8g35-7rmw-7f59"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u41w-g79s-eyez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114442?format=json","vulnerability_id":"VCID-ykq7-2fy3-b7e1","summary":"Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378","reference_id":"","reference_type":"","scores":[{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63782","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63668","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.6377","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00441","scoring_system":"epss","scoring_elements":"0.63783","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32378"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32378"},{"reference_url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4h9w-7vfp-px8m"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m","reference_id":"GHSA-4h9w-7vfp-px8m","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-09T17:32:57Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/792816?format=json","purl":"pkg:composer/shopware/core@6.6.10.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.3"},{"url":"http://public2.vulnerablecode.io/api/packages/376234?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B3"},{"url":"http://public2.vulnerablecode.io/api/packages/376231?format=json","purl":"pkg:composer/shopware/core@6.7.0%2B0-rc2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0%252B0-rc2"},{"url":"http://public2.vulnerablecode.io/api/packages/792818?format=json","purl":"pkg:composer/shopware/core@6.7.0.0-rc2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-43zt-wnjy-rudk"},{"vulnerability":"VCID-4nnv-aqdx-x3gr"},{"vulnerability":"VCID-5b7t-vavj-efae"},{"vulnerability":"VCID-637f-zxjb-8ufn"},{"vulnerability":"VCID-9men-n7d5-63ct"},{"vulnerability":"VCID-a8xu-y9nr-9uag"},{"vulnerability":"VCID-dqba-4hk6-eud2"},{"vulnerability":"VCID-nhdh-f91b-kuex"},{"vulnerability":"VCID-nzcj-wu6c-pfgw"},{"vulnerability":"VCID-sjfg-863y-c3fp"},{"vulnerability":"VCID-zhxv-e8fu-tucd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.0.0-rc2"}],"aliases":["CVE-2025-32378","GHSA-4h9w-7vfp-px8m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ykq7-2fy3-b7e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71472?format=json","vulnerability_id":"VCID-zhxv-e8fu-tucd","summary":"Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16072","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.1605","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15931","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16084","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31887"},{"reference_url":"https://github.com/shopware/shopware","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/shopware/shopware"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887","reference_id":"CVE-2026-31887","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31887"},{"reference_url":"https://github.com/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7vvp-j573-5584"},{"reference_url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584","reference_id":"GHSA-7vvp-j573-5584","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-12T20:02:07Z/"}],"url":"https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40705?format=json","purl":"pkg:composer/shopware/core@6.6.10%2B15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10%252B15"},{"url":"http://public2.vulnerablecode.io/api/packages/962818?format=json","purl":"pkg:composer/shopware/core@6.6.10.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.10.15"},{"url":"http://public2.vulnerablecode.io/api/packages/40703?format=json","purl":"pkg:composer/shopware/core@6.7.8%2B1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8%252B1"},{"url":"http://public2.vulnerablecode.io/api/packages/962823?format=json","purl":"pkg:composer/shopware/core@6.7.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.7.8.1"}],"aliases":["CVE-2026-31887","GHSA-7vvp-j573-5584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zhxv-e8fu-tucd"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.6.8.2"}