shopware/platform Security Advisories for 6.4.14.0 (18)
-
[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse
PKSA-7zw7-y79b-kv9s CVE-2025-32378 GHSA-4h9w-7vfp-px8m
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0-rc1,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents
PKSA-9qy7-f7jp-k813 GHSA-68wv-g3fw-pq7q
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations
PKSA-fkd6-58gd-wqfz CVE-2025-27892 GHSA-8g35-7rmw-7f59
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[HIGH] Shopware allows Denial Of Service via password length
PKSA-qf2k-hv7v-9bz9 CVE-2025-30151 GHSA-cgfj-hj93-rmh2
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api
PKSA-4xth-xj4w-m8t1 CVE-2025-30150 GHSA-hh7j-6x3q-f52h
Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations
PKSA-4jyx-mm79-zmg7 CVE-2024-42357 GHSA-p6w9-r443-r752
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions
PKSA-69f8-ft32-qt99 CVE-2024-42356 GHSA-35jp-8cgg-p4wj
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag
PKSA-44zj-btqf-vtmh CVE-2024-42355 GHSA-27wp-jvhw-v4xp
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api
PKSA-c7v1-2zh3-y11f CVE-2024-42354 GHSA-hhcq-ph6w-494g
Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12
Reported by:
GitHub -
[MEDIUM] Shopware Improper Session Handling in store-api account logout
PKSA-z88n-916m-msqr CVE-2024-31447 GHSA-5297-wrrp-rcj7
Affected version: >=6.6.0.0-rc1,<6.6.1.0|>=6.3.5.0,<6.5.8.8
Reported by:
GitHub -
[MEDIUM] Broken Access Control order API in Shopware
PKSA-9n6r-fddd-r9bb CVE-2024-22407 GHSA-3867-jc5c-66qf
Affected version: <=6.5.7.3
Reported by:
GitHub -
[CRITICAL] Blind SQL injection in shopware
PKSA-sz3r-ymxp-htg6 CVE-2024-22406 GHSA-qmp9-2xwj-m6m9
Affected version: <=6.5.7.3
Reported by:
GitHub -
[HIGH] Improper Control of Generation of Code in Twig rendered views
PKSA-y73d-9xyp-2rvj CVE-2023-2017 GHSA-7v2v-9rm4-7m8f
Affected version: <=6.4.20.0
Reported by:
GitHub -
[MEDIUM] Shopware has Improper Input Validation issue in newsletter subscription
PKSA-vpqc-w91w-1ctj CVE-2023-22734 GHSA-46h7-vj7x-fxg2
Affected version: <=6.4.18.0
Reported by:
GitHub -
[LOW] Shopware has Insufficient Session Expiration in Administration
PKSA-z2wh-qqqg-rhx7 CVE-2023-22732 GHSA-59qg-93jg-236f
Affected version: <=6.4.18.0
Reported by:
GitHub -
[LOW] Shopware's log module vulnerable to Improper Output Neutralization
PKSA-7wby-zzwm-g7gb CVE-2023-22733 GHSA-7cp7-jfp6-jh4f
Affected version: <=6.4.18.0
Reported by:
GitHub -
[CRITICAL] Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views
PKSA-ww33-9chf-zq86 CVE-2023-22731 GHSA-93cw-f5jj-x85w
Affected version: <=6.4.18.0
Reported by:
GitHub -
[MEDIUM] Shopware vulnerable to Improper Input Validation of Clearance sale in cart
PKSA-zx3q-w3f7-cp5k CVE-2023-22730 GHSA-8r6h-m72v-38fg
Affected version: <=6.4.18.0
Reported by:
GitHub