| CVE-2026-48013 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation |
| CVE-2026-48015 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Stored XSS via SVG file upload — no SVG sanitization |
| CVE-2026-48016 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment |
| CVE-2026-48014 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Admin API ACL Bypass in Order State Transition Endpoints |
| CVE-2026-48012 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware SSO referer trust leading to an arbitrary redirect target |
| CVE-2026-48011 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames |
| CVE-2026-48010 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts |
| CVE-2026-48009 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Admin Account Takeover via User Recovery Hash Exposure |
| CVE-2026-48008 |
unknown |
— |
— |
|
|
|
17h ago |
Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass |
