| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-32142 | shopware/commercial: `/api/_info/config` route exposes information about licenses | shopware | commercial | Medium | 5.3 | 2026-03-12 18:17:36 | Deep Dive |
| CVE-2026-31889 | Shopware has a potential take over of app credentials | shopware | core | High | 8.9 | 2026-03-11 18:56:23 | Deep Dive |
| CVE-2026-31888 | Shopware has user enumeration via distinct error codes on Store API login endpoint | shopware | core | Medium | 5.3 | 2026-03-11 18:53:03 | Deep Dive |
| CVE-2026-31887 | Shopware unauthenticated data extraction possible through store-api.order endpoint | shopware | core | - | - | 2026-03-11 18:49:46 | Deep Dive |
| CVE-2026-23498 | Shopware Improper Control of Generation of Code in Twig rendered views | shopware | shopware | High | 7.2 | 2026-01-14 18:31:19 | Deep Dive |
| CVE-2025-67648 | Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page | shopware | shopware | High | 7.1 | 2025-12-10 23:55:10 | Deep Dive |
| CVE-2025-7954 | Race Condition in Shopware Voucher Submission | Shopware | Shopware | - | - | 2025-08-06 07:16:10 | Deep Dive |
| CVE-2025-32378 | Shopware's default newsletter opt-in settings allow for mass sign-up abuse | shopware | shopware | - | - | 2025-04-09 15:37:44 | Deep Dive |
| CVE-2025-30150 | Shopware 6 allows attackers to check for registered accounts through the store-api | shopware | shopware | - | - | 2025-04-08 13:46:45 | Deep Dive |
| CVE-2025-30151 | Shopware allows Denial Of Service via password length | shopware | shopware | High | 7.5 | 2025-04-08 13:46:31 | Deep Dive |
| CVE-2024-42357 | Shopware vulnerable to blind SQL-injection in DAL aggregations | shopware | shopware | High | 7.3 | 2024-08-08 14:55:51 | Deep Dive |
| CVE-2024-42356 | Shopware vulnerable to Server Side Template Injection in Twig using Context functions | shopware | shopware | High | 8.3 | 2024-08-08 14:52:54 | Deep Dive |
| CVE-2024-42355 | Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag | shopware | shopware | High | 8.3 | 2024-08-08 14:49:38 | Deep Dive |
| CVE-2024-42354 | Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api | shopware | shopware | Medium | 5.3 | 2024-08-08 14:44:25 | Deep Dive |
| CVE-2024-31447 | Shopware has Improper Session Handling in store-api | shopware | shopware | Medium | 5.3 | 2024-04-08 15:39:30 | Deep Dive |
| CVE-2024-27917 | Shopware's session is persistent in Cache for 404 pages | shopware | shopware | High | 7.5 | 2024-03-06 19:36:27 | Deep Dive |
| CVE-2024-22406 | Blind SQL-injection in DAL aggregations in Shopware | shopware | shopware | Critical | 9.3 | 2024-01-16 22:30:04 | Deep Dive |
| CVE-2024-22407 | Broken Access Control order API in Shopware | shopware | shopware | Medium | 4.9 | 2024-01-16 22:29:07 | Deep Dive |
| CVE-2024-22408 | Server-Side Request Forgery (SSRF) in Shopware Flow Builder | shopware | shopware | High | 7.6 | 2024-01-16 22:26:41 | Deep Dive |
| CVE-2023-34099 | Improper mail validation in Shopware | shopware | shopware | Medium | 5.3 | 2023-06-27 16:29:07 | Deep Dive |