Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

shopware — Vulnerabilities & Security Advisories 56

Browse all 56 CVE security advisories affecting shopware. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Shopware is an open-source e-commerce platform primarily utilized by mid-sized enterprises to manage online storefronts and complex product catalogs. Its architecture, built on PHP and Symfony components, has historically exposed it to a range of web application vulnerabilities, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL injection. Recent records indicate approximately 56 Common Vulnerabilities and Exposures (CVEs), reflecting ongoing challenges with input validation and access control mechanisms. Notable incidents often stem from insecure default configurations or delayed patching of critical plugins, allowing attackers to escalate privileges or execute arbitrary code. The platform’s modular extension system further complicates security hygiene, as third-party modules may introduce unvetted code paths. Consequently, administrators must rigorously audit dependencies and apply updates promptly to mitigate risks associated with its extensive feature set and frequent codebase modifications.

Top products by shopware: shopware platform core SwagPayPal commercial
CVE IDTitleCVSSSeverityPublished
CVE-2026-32142 shopware/commercial: `/api/_info/config` route exposes information about licenses — commercialCWE-200 5.3 Medium2026-03-12
CVE-2026-31889 Shopware has a potential take over of app credentials — coreCWE-290 8.9 High2026-03-11
CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint — coreCWE-204 5.3 Medium2026-03-11
CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint — coreCWE-863 9.1AICriticalAI2026-03-11
CVE-2026-23498 Shopware Improper Control of Generation of Code in Twig rendered views — shopwareCWE-94 7.2 High2026-01-14
CVE-2025-67648 Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page — shopwareCWE-79 7.1 High2025-12-10
CVE-2025-7954 Race Condition in Shopware Voucher Submission — ShopwareCWE-362 5.9AIMediumAI2025-08-06
CVE-2025-32378 Shopware's default newsletter opt-in settings allow for mass sign-up abuse — shopwareCWE-799 6.5AIMediumAI2025-04-09
CVE-2025-30150 Shopware 6 allows attackers to check for registered accounts through the store-api — shopwareCWE-204 5.3AIMediumAI2025-04-08
CVE-2025-30151 Shopware allows Denial Of Service via password length — shopwareCWE-20 7.5 High2025-04-08
CVE-2024-42357 Shopware vulnerable to blind SQL-injection in DAL aggregations — shopwareCWE-89 7.3 High2024-08-08
CVE-2024-42356 Shopware vulnerable to Server Side Template Injection in Twig using Context functions — shopwareCWE-1336 8.3 High2024-08-08
CVE-2024-42355 Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag — shopwareCWE-1336 8.3 High2024-08-08
CVE-2024-42354 Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api — shopwareCWE-284 5.3 Medium2024-08-08
CVE-2024-31447 Shopware has Improper Session Handling in store-api — shopwareCWE-613 5.3 Medium2024-04-08
CVE-2024-27917 Shopware's session is persistent in Cache for 404 pages — shopwareCWE-524 7.5 High2024-03-06
CVE-2024-22406 Blind SQL-injection in DAL aggregations in Shopware — shopwareCWE-89 9.3 Critical2024-01-16
CVE-2024-22407 Broken Access Control order API in Shopware — shopwareCWE-284 4.9 Medium2024-01-16
CVE-2024-22408 Server-Side Request Forgery (SSRF) in Shopware Flow Builder — shopwareCWE-918 7.6 High2024-01-16
CVE-2023-34099 Improper mail validation in Shopware — shopwareCWE-754 5.3 Medium2023-06-27
CVE-2023-34098 Dependency configuration exposed in Shopware — shopwareCWE-200 5.3 Medium2023-06-27
CVE-2023-23941 SwagPayPal payment not sent to PayPal correctly — SwagPayPalCWE-345 7.5 High2023-02-03
CVE-2023-22733 Improper Output Neutralization in Log Module in shopware — platformCWE-532 2.7 Low2023-01-17
CVE-2023-22732 Insufficient Session Expiration in Administration in shopware — platformCWE-613 3.7 Low2023-01-17
CVE-2023-22731 Improper Control of Generation of Code in Twig rendered views in shopware — platformCWE-94 10.0 Critical2023-01-17
CVE-2023-22730 Improper Input Validation of Clearance sale in cart — platformCWE-20 5.3 Medium2023-01-17
CVE-2023-22734 Improper Input Newsletter subscription option validation in shopware — platformCWE-20 4.3 Medium2023-01-17
CVE-2022-36102 Acess control list bypassed via crafted specific URLs — shopwareCWE-281 6.3 Medium2022-09-12
CVE-2022-36101 Sensitive data in backend customer module — shopwareCWE-200 5.4 Medium2022-09-12
CVE-2022-31148 Persistent cross site scripting in customer module in Shopware — shopwareCWE-79 5.4 Medium2022-08-01

This page lists every published CVE security advisory associated with shopware. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.