CVE-2025-67648

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58	Patch
https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:shopware:shopware::::::::
	cpe:2.3:a:shopware:shopware::::::::

History

17 Mar 2026, 19:43

Type	Values Removed	Values Added
First Time		Shopware Shopware shopware
CPE		cpe:2.3:a:shopware:shopware::::::::
References	~~() https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58 -~~	() https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58 - Patch
References	~~() https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2 -~~	() https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2 - Vendor Advisory

11 Dec 2025, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-11 00:16

Updated : 2026-03-17 19:43

NVD link : CVE-2025-67648

Mitre link : CVE-2025-67648

CVE.ORG link : CVE-2025-67648

JSON object : View

Products Affected

shopware

shopware

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-67648", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-12-11T00:16:23.557", "references": [{"url": "https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1."}], "lastModified": "2026-03-17T19:43:54.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F912C545-B472-43DB-8CAC-E9A5791D6E8B", "versionEndExcluding": "6.6.10.10", "versionStartIncluding": "6.4.6.0"}, {"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DBFD7B3-151A-46E7-81CE-30971D05FD21", "versionEndExcluding": "6.7.5.1", "versionStartIncluding": "6.7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}