Product
shopware
69 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-31889
CVE-2026-31888
CVE-2026-31887
CVE-2026-23498
CVE-2025-67648
CVE-2025-7954
CVE-2025-51541
CVE-2025-27892
CVE-2025-32378
CVE-2025-30151
CVE-2025-30150
CVE-2024-42357
CVE-2024-42356
CVE-2024-42355
CVE-2024-42354
CVE-2024-31447
CVE-2024-27917
CVE-2024-22408
CVE-2024-22407
CVE-2024-22406
CVE-2023-34099
CVE-2023-34098
CVE-2022-48150
CVE-2023-2017
CVE-2023-23941
CVE-2023-22734
CVE-2023-22733
CVE-2023-22732
CVE-2023-22731
CVE-2023-22730
CVE-2022-36102
CVE-2022-36101
CVE-2022-31148
CVE-2022-31057
CVE-2022-24892
CVE-2022-24879
CVE-2022-24873
CVE-2022-24872
CVE-2022-24871
CVE-2022-24956
CVE-2022-24748
CVE-2022-24747
CVE-2022-24746
CVE-2022-24745
CVE-2022-24744
CVE-2022-21652
CVE-2022-21651
CVE-2021-41188
CVE-2021-37711
CVE-2021-37710
CVE-2021-37709
CVE-2021-37708
CVE-2021-37707
CVE-2021-32717
CVE-2021-32716
CVE-2021-32713
CVE-2021-32712
CVE-2021-32711
CVE-2021-32710
CVE-2021-32709
CVE-2020-13997
CVE-2020-13971
CVE-2020-13970
CVE-2019-12935
CVE-2019-12799
CVE-2018-20713
CVE-2017-18357
CVE-2017-15374
CVE-2016-3109
< 6.6.10.15
Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that
< 6.6.10.15
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login
< 6.6.10.15
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticat
>= 6.7.0.0 and < 6.7.6.1
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array c
>= 6.4.6.0 and < 6.6.10.10
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerab
>= 6.6.0.0 and < 6.7.2.0
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to by
>= 6.1.0 and < 6.2.3
A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-co
< 6.5.8.17
Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issu
< 6.5.8.17
Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in all
< 6.5.8.17
Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefron
< 6.5.8.18
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to
< 6.5.8.13
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the Shopware application API contains a search func
< 6.5.8.13
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the
context variable is injected into almost any< 6.5.8.13
Shopware, an open ecommerce platform, has a new Twig Tag
sw_silent_feature_call which silences deprecation messages while trigge< 6.5.8.13
Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fie
>= 6.3.5.0 and < 6.5.8.8
Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.
>= 6.5.8.0 and < 6.5.8.7
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and
< 6.5.7.4
Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not ad
< 6.5.7.4
Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify use
< 6.5.7.4
Shopware is an open headless commerce platform. The Shopware application API contains a search functionality which enables users t
>= 5.1.4 and <= 5.7.17
Shopware is an open source e-commerce software. The mail validation in the registration process had some flaws, so it was possible
>= 5.6.0 and < 5.7.18
Shopware is an open source e-commerce software. Due to an incorrect configuration in the
.htaccess file, the configuration fileall versions
Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.
>= 6.1.0 and <= 6.4.20.0
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and
< 5.4.4
SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart
< 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The newsletter double opt-in validation was no
< 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions the log module would writ
< 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. The Administration session expiration was set
< 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment without the Sandbox ex
< 6.4.18.1
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In affected versions It was possible to put th
>= 5.0.0 and < 5.7.15
Shopware is an open source e-commerce software. In affected versions if backend admin controllers are called with a certain notati
>= 5.0.0 and < 5.7.15
Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend admin
>= 5.7.0 and < 5.7.14
Shopware is an open source e-commerce software. In versions from 5.7.0 a persistent cross site scripting (XSS) vulnerability exist
>= 5.0.0 and < 5.7.12
Shopware is an open source e-commerce software made in Germany. Versions of Shopware 5 prior to version 5.7.12 are subject to an a
>= 5.0.4 and < 5.7.9
Shopware is an open source e-commerce software platform. Starting with version 5.0.4 and before version 5.7.9, multiple tokens for
>= 5.2.0 and < 5.7.9
Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site reque
>= 5.0.0 and < 5.7.9
Shopware is an open source e-commerce software platform. Prior to version 5.7.9, Shopware is vulnerable to non-stored cross-site s
< 6.4.10.1
Shopware is an open commerce platform based on Symfony Framework and Vue. Permissions set to sales channel context by admin-api ar
< 6.4.10.1
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK
>= 1.0.0 and < 1.5.1
An issue was discovered in Shopware B2B-Suite through 4.4.1. The sort-by parameter of the search functionality of b2border and b2b
< 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.
< 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of sh
< 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions it
< 6.4.8.2
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions gu
< 6.4.8.1
Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions us
>= 5.7.3 and < 5.7.7
Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the
>= 5.0.0 and < 5.7.7
Shopware is an open source e-commerce software platform. An open redirect vulnerability has been discovered. Users may be arbitrar
< 5.7.6
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is p
>= 6.1.0 and < 6.4.3.1
Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3
< 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a Cross-Site Scripting vulnerability via SVG medi
< 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct obje
>= 6.1.0 and < 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent s
>= 6.1.0 and < 6.4.3.1
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability that allows manipulation of produ
>= 6.1.0 and < 6.4.1.1
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage p
>= 6.1.0 and < 6.4.1.1
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields
>= 5.0.0 and < 5.6.10
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration
>= 5.0.0 and < 5.6.10
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error hand
< 6.3.5.1
Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability
< 6.3.5.2
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recomm
< 6.4.1.1
Shopware is an open source eCommerce platform. Creation of order credits was not validated by ACL in admin orders. Users are recom
< 6.2.3
In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose err
< 6.2.3
In Shopware before 6.2.3, authenticated users are allowed to use the Mediabrowser fileupload feature to upload SVG images containi
< 6.2.3
Shopware before 6.2.3 is vulnerable to a Server-Side Request Forgery (SSRF) in its "Mediabrowser upload by URL" feature. This allo
< 5.5.8
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.
<= 5.6.0
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulner
< 5.4.3
Shopware before 5.4.3 allows SQL Injection by remote authenticated users, aka SW-21404.
< 5.3.4
Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopwar
all versions
Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the customer and order section of the content management system ba
<= 5.1.4
The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code.