Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-48009

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-17 Jul, 2026 | 17:58
Updated At-17 Jul, 2026 | 17:58
Rejected At-
Credits

Shopware: Admin Account Takeover via User Recovery Hash Exposure

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:17 Jul, 2026 | 17:58
Updated At:17 Jul, 2026 | 17:58
Rejected At:
â–¼CVE Numbering Authority (CNA)
Shopware: Admin Account Takeover via User Recovery Hash Exposure

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Affected Products
Vendor
shopware
Product
shopware
Versions
Affected
  • < 6.6.10.18
  • >= 6.7.0.0, < 6.7.10.1
Vendor
shopware
Product
platform
Versions
Affected
  • < 6.6.10.18
  • >= 6.7.0.0, < 6.7.10.1
Problem Types
TypeCWE IDDescription
CWECWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
CWE ID: CWE-200
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Metrics
VersionBase scoreBase severityVector
3.16.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f
x_refsource_CONFIRM
https://github.com/shopware/shopware/commit/06f8b9aa4fecb239a2ff33a6546192d7ce7ed0f8
x_refsource_MISC
https://github.com/shopware/shopware/commit/9ef4873f810e26fb38da051624f7f2720139279a
x_refsource_MISC
https://github.com/shopware/shopware/commit/d82c23d8d5b22dd722c8f76c4f66785d1a7a72d8
x_refsource_MISC
https://github.com/shopware/shopware/releases/tag/v6.6.10.18
x_refsource_MISC
https://github.com/shopware/shopware/releases/tag/v6.7.10.1
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/shopware/shopware/commit/06f8b9aa4fecb239a2ff33a6546192d7ce7ed0f8
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/commit/9ef4873f810e26fb38da051624f7f2720139279a
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/commit/d82c23d8d5b22dd722c8f76c4f66785d1a7a72d8
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.6.10.18
Resource:
x_refsource_MISC
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.7.10.1
Resource:
x_refsource_MISC
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:17 Jul, 2026 | 18:17
Updated At:17 Jul, 2026 | 18:30

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-200Primarysecurity-advisories@github.com
CWE ID: CWE-200
Type: Primary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/shopware/shopware/commit/06f8b9aa4fecb239a2ff33a6546192d7ce7ed0f8security-advisories@github.com
N/A
https://github.com/shopware/shopware/commit/9ef4873f810e26fb38da051624f7f2720139279asecurity-advisories@github.com
N/A
https://github.com/shopware/shopware/commit/d82c23d8d5b22dd722c8f76c4f66785d1a7a72d8security-advisories@github.com
N/A
https://github.com/shopware/shopware/releases/tag/v6.6.10.18security-advisories@github.com
N/A
https://github.com/shopware/shopware/releases/tag/v6.7.10.1security-advisories@github.com
N/A
https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98fsecurity-advisories@github.com
N/A
Hyperlink: https://github.com/shopware/shopware/commit/06f8b9aa4fecb239a2ff33a6546192d7ce7ed0f8
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/commit/9ef4873f810e26fb38da051624f7f2720139279a
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/commit/d82c23d8d5b22dd722c8f76c4f66785d1a7a72d8
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.6.10.18
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/releases/tag/v6.7.10.1
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

12Records found

CVE-2022-24748
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.75% / 50.69%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 22:25
Updated-23 Apr, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authentication in shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-32142
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.69%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 18:17
Updated-16 Apr, 2026 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
shopware/commercial: `/api/_info/config` route exposes information about licenses

Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.

Action-Not Available
Vendor-shopware
Product-commercial
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-24747
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.3||MEDIUM
EPSS-1.08% / 61.32%
||
7 Day CHG~0.00%
Published-09 Mar, 2022 | 22:25
Updated-23 Apr, 2025 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP caching is marking private HTTP headers as public

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. Affected versions of shopware do no properly set sensitive HTTP headers to be non-cacheable. If there is an HTTP cache between the server and client then headers may be exposed via HTTP caches. This issue has been resolved in version 6.4.8.2. There are no known workarounds.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2021-32712
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.14% / 62.90%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 20:50
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information leakage in Error Handler

Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareshopware
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-209
Generation of Error Message Containing Sensitive Information
CVE-2021-32717
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.46% / 70.64%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 21:10
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Private files publicly accessible with Cloud Storage providers

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command `./bin/console s3:set-visibility` to correct your cloud file visibilities.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2021-32716
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.4||MEDIUM
EPSS-1.11% / 62.29%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 21:05
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Internal hidden fields are visible on to many associations in admin api

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-32711
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.36% / 68.58%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 20:05
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Leak of information via Store-API

Shopware is an open source eCommerce platform. Versions prior to 6.3.5.1 may leak of information via Store-API. The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. We recommend to update to the current version 6.3.5.1. You can get the update to 6.3.5.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 The vulnerability could only be fixed by changing the API system, which involves a non-backward-compatible change. Only consumers of the Store-API should be affected by this change. Please check your plugins if you have it in use. Detailed technical information can be found in the upgrade information. https://github.com/shopware/platform/blob/v6.3.5.1/UPGRADE-6.3.md#6351 ### Workarounds For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659 ### For more information https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-02-2021

Action-Not Available
Vendor-shopwareshopware
Product-shopwareplatform
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-34098
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.61% / 45.20%
||
7 Day CHG~0.00%
Published-27 Jun, 2023 | 16:25
Updated-07 Nov, 2024 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Dependency configuration exposed in Shopware

Shopware is an open source e-commerce software. Due to an incorrect configuration in the `.htaccess` file, the configuration file of the Javascript could be read in production environments (`themes/package-lock.json`). With this information, the specific Shopware version in a deployment might be determined by an attacker, which could be used for further attacks. Users are advised to update to version 5.7.18. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-shopwareshopwareshopware
Product-shopwareshopwareshopware
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2022-36101
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.55% / 42.15%
||
7 Day CHG+0.02%
Published-12 Sep, 2022 | 20:00
Updated-23 Apr, 2025 | 17:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sensitive data in backend customer module

Shopware is an open source e-commerce software. In affected versions the request for the customer detail view in the backend administration contained sensitive data like the hashed password and the session ID. These fields are now explicitly unset in version 5.7.15. Users are advised to update and may get the update either via the Auto-Updater or directly via the download overview. There are no known workarounds for this issue.

Action-Not Available
Vendor-shopwareshopware
Product-shopwareshopware
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2021-39203
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.94% / 56.95%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 22:00
Updated-04 Aug, 2024 | 01:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Private data disclosure/privilege escalation through the block editor in Wordpress

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

Action-Not Available
Vendor-WordPressWordPress.org
Product-wordpresswordpress-develop
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-41786
Matching Score-4
Assigner-Pandora FMS
ShareView Details
Matching Score-4
Assigner-Pandora FMS
CVSS Score-6.8||MEDIUM
EPSS-0.54% / 41.97%
||
7 Day CHG~0.00%
Published-23 Nov, 2023 | 14:27
Updated-15 Oct, 2024 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Database backups availability by low-privileged users

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Pandora FMS on all allows File Discovery. This vulnerability allows users with low privileges to download database backups. This issue affects Pandora FMS: from 700 through 772.

Action-Not Available
Vendor-Pandora FMS S.L.U.
Product-pandora_fmsPandora FMS
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2023-38729
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.57% / 43.23%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 12:27
Updated-31 Jan, 2025 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Db2 information disclosure

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to sensitive information disclosure when using ADMIN_CMD with IMPORT or EXPORT.

Action-Not Available
Vendor-Microsoft CorporationHP Inc.IBM CorporationLinux Kernel Organization, IncOracle Corporation
Product-hp-uxwindowssolarisaixlinux_on_ibm_zlinux_kerneldb2Db2 for Linux, UNIX and Windowsdb2_connect_serverdb2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Details not found