Main Vulnerability Database Vulnerabilities #VU131951

Server-Side Request Forgery (SSRF) in Shopware - #VU131951

Published: May 20, 2026

Vulnerability identifier: #VU131951

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Shopware

Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the /api/_action/media/external-link endpoint when processing a user-supplied external URL. A remote privileged user can send a specially crafted URL to disclose sensitive information.

The issue affects the linkURL flow in MediaUploadService, which performs server-side HTTP HEAD requests without validating resolved IP addresses against private or reserved ranges. Symfony HttpClient follows redirects by default, which can allow an external server to redirect the request to internal destinations.

Remediation

Install security update from vendor's website.

Sources

https://github.com/shopware/shopware/security/advisories/GHSA-gq96-5pfx-f4vc

Server-Side Request Forgery (SSRF) in Shopware - #VU131951

Detailed vulnerability description

Remediation

Sources

Please verify you're human