Shopware/shopware

This hub aggregates every CVE we track for Shopware/shopware, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Shopware/shopware.

• CVE-2026-23498Shopware Improper Control of Generation of Code in Twig rendered views7.2Jan 14, 2026
• CVE-2025-67648Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page7.1Dec 10, 2025
• CVE-2023-34099Improper mail validation in Shopware5.3Jun 27, 2023
• CVE-2023-34098Dependency configuration exposed in Shopware5.3Jun 27, 2023
• CVE-2022-48150Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI.6.1Apr 21, 2023
• CVE-2022-36102Acess control list bypassed via crafted specific URLs6.3Sep 12, 2022
• CVE-2022-36101Sensitive data in backend customer module5.4Sep 12, 2022
• CVE-2022-31148Persistent cross site scripting in customer module in Shopware5.4Aug 1, 2022
• CVE-2022-31057Authenticated Stored XSS in Shopware Administration6.5Jun 27, 2022
• CVE-2022-24892Multiple valid tokens for password reset in Shopware6.4Apr 28, 2022
• CVE-2022-24879Malfunction of Cross-Site Request Forgery token validation7.5Apr 28, 2022
• CVE-2022-24873Non-Stored Cross-site Scripting in Shopware storefront5.4Apr 28, 2022
• CVE-2022-21652Insufficient Session Expiration in shopware3.5Jan 5, 2022
• CVE-2022-21651Open redirect in shopware6.8Jan 5, 2022
• CVE-2021-41188Authenticated Stored XSS in Administration5.7Oct 26, 2021