SB2026052059 - Multiple vulnerabilities in Shopware
Published: May 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in the context of the Shopware domain.
The vulnerability exists due to cross-site scripting in the SVG upload handling pipeline when processing uploaded SVG files. A remote privileged user can upload a specially crafted SVG file to execute arbitrary script in the context of the Shopware domain.
The issue affects users who access the uploaded SVG.
2) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper privilege management in UserController::upsertUser() when handling API requests to create or update users. A remote privileged user can set the admin field to true on a new or existing user account to escalate privileges.
The issue occurs because user data is written in SYSTEM_SCOPE, which bypasses AclWriteValidator checks for the admin field.
3) Input validation error (CVE-ID: N/A)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect users to an arbitrary URL.
The vulnerability exists due to improper input validation in the GET /api/oauth/sso/auth endpoint when handling requests without the expected SSO session state. A remote attacker can supply a crafted Referer header to redirect users to an arbitrary URL.
User interaction is required, and the endpoint also reflects the attacker-controlled target into the Location header and the HTML redirect body, including dangerous schemes such as javascript:.
4) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in the /api/_action/media/external-link endpoint when processing a user-supplied external URL. A remote privileged user can send a specially crafted URL to disclose sensitive information.
The issue affects the linkURL flow in MediaUploadService, which performs server-side HTTP HEAD requests without validating resolved IP addresses against private or reserved ranges. Symfony HttpClient follows redirects by default, which can allow an external server to redirect the request to internal destinations.
5) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to trigger payment attempts for another user's order.
The vulnerability exists due to improper access control in /store-api/handle-payment when processing a user-supplied orderId. A remote user can submit a foreign orderId to trigger payment attempts for another user's order.
Guest context is sufficient, and the issue affects payment initiation and retry flows for orders not owned by the caller.
6) Improper Authorization (CVE-ID: N/A)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify order lifecycle states without intended privileges.
The vulnerability exists due to improper access control in order state transition endpoints when handling direct Admin API transition requests. A remote user can send a specially crafted transition request to modify order lifecycle states without intended privileges.
The issue affects order, order-transaction, and order-delivery transition routes, and direct API calls succeed even when equivalent normal update requests are rejected.
7) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to missing authorization in the Sync API integration write path when handling crafted Sync API requests to create integrations. A remote privileged user can create an integration with the admin field set to true via POST /api/_action/sync to escalate privileges.
The dedicated integration endpoint applies an admin check, but the Sync API writes directly through the DAL EntityWriter, and the integration entity definition lacks write protection on the admin field.
8) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to take over any admin account.
The vulnerability exists due to exposure of sensitive information in the user_recovery entity hash field via the Admin API search endpoint when processing user recovery records through POST /api/search/user-recovery. A remote user can trigger password recovery for a victim account, read the recovery hash, and submit it to the password reset endpoint to take over any admin account.
The issue depends on combining an authenticated read of the recovery hash with unauthenticated password recovery trigger and password reset endpoints.
9) Information Exposure Through Timing Discrepancy (CVE-ID: N/A)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to enumerate administrator usernames.
The vulnerability exists due to observable timing discrepancy in getUserEntityByUserCredentials() in src/Core/Framework/Api/OAuth/UserRepository.php when handling authentication requests to api/oauth/token. A remote attacker can send authentication requests and measure response times to enumerate administrator usernames.
The issue occurs because requests for nonexistent usernames return earlier than requests for existing usernames that reach password verification.
Remediation
Install update from vendor's website.
References
- https://github.com/shopware/shopware/security/advisories/GHSA-xvhc-gm7j-mhmc
- https://github.com/shopware/shopware/security/advisories/GHSA-v39m-97p8-gqg7
- https://github.com/shopware/shopware/security/advisories/GHSA-4x3x-869w-xx3m
- https://github.com/shopware/shopware/security/advisories/GHSA-gq96-5pfx-f4vc
- https://github.com/shopware/shopware/security/advisories/GHSA-9v5m-39wh-5chq
- https://github.com/shopware/shopware/security/advisories/GHSA-f8q6-3g5w-jjr6
- https://github.com/advisories/GHSA-f8q6-3g5w-jjr6
- https://github.com/shopware/shopware/security/advisories/GHSA-gv8p-48fr-4fxg
- https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f
- https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw
- https://github.com/shopware/shopware/blob/trunk/src/Core/Framework/Api/OAuth/UserRepository.php