Improper control of interaction frequency in Shopware - CVE-2025-32378
Published: April 8, 2025 / Updated: May 20, 2026
Vulnerability identifier: #VU131902
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-32378
CWE-ID: CWE-799
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Shopware
Affected software:
Shopware
Shopware
Detailed vulnerability description
The vulnerability allows a remote attacker to cause unsolicited newsletter sign-ups.
The vulnerability exists due to improper control of interaction frequency in the newsletter opt-in functionality when registering an account with an arbitrary email address and enabling newsletter subscription from the account page. A remote attacker can register accounts using victim email addresses and enable newsletter subscriptions to cause unsolicited newsletter sign-ups.
The issue occurs with the default double-opt-in configuration, where newsletter subscriptions can become instantly active without requiring confirmation links to be clicked.
How to mitigate CVE-2025-32378
Install security update from vendor's website.