Shopware/platform

This hub aggregates every CVE we track for Shopware/platform, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Shopware/platform.

• CVE-2026-31889Shopware has a potential take over of app credentials8.9Mar 11, 2026
• CVE-2026-31888Shopware has user enumeration via distinct error codes on Store API login endpoint5.3Mar 11, 2026
• CVE-2026-31887Shopware unauthenticated data extraction possible through store-api.order endpoint7.5Mar 11, 2026
• CVE-2025-7954Race Condition in Shopware Voucher Submission8.1Aug 6, 2025
• CVE-2025-27892Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.6.8Apr 15, 2025
• CVE-2025-32378Shopware's default newsletter opt-in settings allow for mass sign-up abuse5.3Apr 9, 2025
• CVE-2025-30150Shopware 6 allows attackers to check for registered accounts through the store-api5.3Apr 8, 2025
• CVE-2025-30151Shopware allows Denial Of Service via password length7.5Apr 8, 2025
• CVE-2024-42357Shopware vulnerable to blind SQL-injection in DAL aggregations7.3Aug 8, 2024
• CVE-2024-42356Shopware vulnerable to Server Side Template Injection in Twig using Context functions8.3Aug 8, 2024
• CVE-2024-42355Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag8.3Aug 8, 2024
• CVE-2024-42354Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api5.3Aug 8, 2024
• CVE-2024-31447Shopware has Improper Session Handling in store-api5.3Apr 8, 2024
• CVE-2024-27917Shopware's session is persistent in Cache for 404 pages7.5Mar 6, 2024
• CVE-2024-22406Blind SQL-injection in DAL aggregations in Shopware9.3Jan 16, 2024