Security Advisories - shopware/core - Packagist

shopware/core Security Advisories for v6.5.6.0 (12)

[LOW] Shopware default newsletter opt-in settings allow for mass sign-up abuse

PKSA-8vfm-96b7-t9nt CVE-2025-32378 GHSA-4h9w-7vfp-px8m

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0-rc1,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware Broken ACL on Document retrieval to access other customers documents

PKSA-frt7-rv6d-9v53 GHSA-68wv-g3fw-pq7q

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[HIGH] Shopware Vulnerable to Blind SQL-injection in DAL aggregations

PKSA-m54b-2v2z-x1bs CVE-2025-27892 GHSA-8g35-7rmw-7f59

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[HIGH] Shopware allows Denial Of Service via password length

PKSA-k472-zz4q-rd5r CVE-2025-30151 GHSA-cgfj-hj93-rmh2

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware 6 allows attackers to check for registered accounts through the store-api

PKSA-dbxn-psgm-2qmr CVE-2025-30150 GHSA-hh7j-6x3q-f52h

Affected version: <6.5.8.17|>=6.7.0.0-rc1,<6.7.0.0-rc2|>=6.6.0.0,<6.6.10.3

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to blind SQL-injection in DAL aggregations

PKSA-wp2c-7yp8-5fvs CVE-2024-42357 GHSA-p6w9-r443-r752

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using Context functions

PKSA-kt1g-n1g2-hzb4 CVE-2024-42356 GHSA-35jp-8cgg-p4wj

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[HIGH] Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag

PKSA-6stq-czfs-1nvv CVE-2024-42355 GHSA-27wp-jvhw-v4xp

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api

PKSA-4spx-rq41-wk8h CVE-2024-42354 GHSA-hhcq-ph6w-494g

Affected version: >=6.6.0.0,<=6.6.5.0|<=6.5.8.12

Reported by:
GitHub
[MEDIUM] Shopware Improper Session Handling in store-api account logout

PKSA-s8vz-878v-gv1c CVE-2024-31447 GHSA-5297-wrrp-rcj7

Affected version: >=6.6.0.0-rc1,<6.6.1.0|>=6.3.5.0,<6.5.8.8

Reported by:
GitHub
[MEDIUM] Broken Access Control order API in Shopware

PKSA-mm7q-gnjj-tttn CVE-2024-22407 GHSA-3867-jc5c-66qf

Affected version: <=6.5.7.3

Reported by:
GitHub
[CRITICAL] Blind SQL injection in shopware

PKSA-ktmn-6519-qrdp CVE-2024-22406 GHSA-qmp9-2xwj-m6m9

Affected version: <=6.5.7.3

Reported by:
GitHub