SB2026052004 - Multiple vulnerabilities in Shopware
Published: May 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2025-27892)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information, modify data, or cause a denial of service.
The vulnerability exists due to sql injection in the DAL aggregations name field in nested aggregations when processing search requests with user-supplied aggregation parameters. A remote attacker can send specially crafted aggregation parameters to disclose sensitive information, modify data, or cause a denial of service.
The issue affects the search functionality exposed through the application API.
2) Improper Authorization (CVE-ID: N/A)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper authorization in document retrieval when accessing documents via a guessed deepLinkCode. A remote attacker can guess a document deepLinkCode to disclose sensitive information.
3) Input validation error (CVE-ID: CVE-2025-30151)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in password handling in Storefront forms or Store-API when processing excessively long passwords. A remote attacker can submit a specially crafted request with a long password to cause a denial of service.
4) Observable discrepancy (CVE-ID: CVE-2025-30150)
CWE-ID: CWE-203 - Observable discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose whether a specific e-mail address is associated with an account.
The vulnerability exists due to improper access control in the /store-api/account/recovery-password endpoint when handling password recovery requests. A remote attacker can send a request with a chosen e-mail address to disclose whether a specific e-mail address is associated with an account.
The endpoint returns different responses depending on whether the supplied e-mail address matches an existing customer account.
5) Improper control of interaction frequency (CVE-ID: CVE-2025-32378)
CWE-ID: CWE-799 - Improper Control of Interaction Frequency
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause unsolicited newsletter sign-ups.
The vulnerability exists due to improper control of interaction frequency in the newsletter opt-in functionality when registering an account with an arbitrary email address and enabling newsletter subscription from the account page. A remote attacker can register accounts using victim email addresses and enable newsletter subscriptions to cause unsolicited newsletter sign-ups.
The issue occurs with the default double-opt-in configuration, where newsletter subscriptions can become instantly active without requiring confirmation links to be clicked.
6) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to reset a customer's password.
The vulnerability exists due to improper access control in the password recovery mechanism when processing a password reset link after an email address change. A remote privileged user can use a previously issued password recovery link tied to the old email address to reset a customer's password.
Exploitation requires access to the old email inbox after a password reset was requested and before the email address was changed.
Remediation
Install update from vendor's website.
References
- https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59
- https://github.com/advisories/GHSA-8g35-7rmw-7f59
- https://github.com/shopware/shopware/security/advisories/GHSA-68wv-g3fw-pq7q
- https://github.com/advisories/GHSA-68wv-g3fw-pq7q
- https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2
- https://github.com/advisories/GHSA-cgfj-hj93-rmh2
- https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h
- https://github.com/advisories/GHSA-hh7j-6x3q-f52h
- https://github.com/shopware/shopware/security/advisories/GHSA-4h9w-7vfp-px8m
- https://github.com/shopware/shopware/security/advisories/GHSA-2w46-vq8h-98vh