Main Vulnerability Database Vulnerabilities #VU131948

Cross-site scripting in Shopware - #VU131948

Published: May 20, 2026

Vulnerability identifier: #VU131948

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shopware

Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the context of the Shopware domain.

The vulnerability exists due to cross-site scripting in the SVG upload handling pipeline when processing uploaded SVG files. A remote privileged user can upload a specially crafted SVG file to execute arbitrary script in the context of the Shopware domain.

The issue affects users who access the uploaded SVG.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shopware/shopware/security/advisories/GHSA-xvhc-gm7j-mhmc

Cross-site scripting in Shopware - #VU131948

Detailed vulnerability description

Remediation

Sources

Please verify you're human