✅ 檢查你的版本
所有已知漏洞
CRITICAL9.8CVE-2023-22731Shopware vulnerable to Improper Control of Generation of Code in Twig rendered views from 0, < 6.4.18.1
from 0, < 6.5.7.4
from 0, < 6.3.5.1
from 0, < 6.3.5.1
HIGH8.9CVE-2026-31889Shopware vulnerable to a potential take over of app credentials >= 6.7.0.0, < 6.7.8.1
HIGH8.8CVE-2023-2017Shopware Has Improper Control of Generation of Code in Twig rendered views from 0, < 6.4.20.1
from 0, < 6.2.3
from 0, < 6.4.3.1
HIGH8.8CVE-2021-37711Authenticated server-side request forgery in file upload via URL. from 0, < 6.4.3.1
HIGH8.3CVE-2024-42356Shopware vulnerable to Server Side Template Injection in Twig using Context functions from 0, < 6.5.8.13
HIGH8.3CVE-2024-42355Shopware vulnerable to Server Side Template Injection in Twig using deprecation silence tag from 0, < 6.5.8.13
from 0, < 6.4.10.1
from 0, < 6.4.3.1
HIGH7.5CVE-2025-30151Shopware allows Denial Of Service via password length >= 6.6.0.0, < 6.6.10.3
HIGH7.5CVE-2024-27917Shopware's session is persistent in Cache for 404 pages >= 6.5.8.0, < 6.5.8.7
HIGH7.5CVE-2020-13997Shopware database password is leaked to an unauthenticated users >= 6.0.0, < 6.2.3
HIGH7.5CVE-2021-32717Private files publicly accessible with Cloud Storage providers from 0, < 6.4.1.1
HIGH7.5CVE-2021-32717Private files publicly accessible with Cloud Storage providers from 0, < 6.4.1.1
HIGH7.3CVE-2025-27892Shopware Vulnerable to Blind SQL-injection in DAL aggregations >= 6.7.0.0-rc1, < 6.7.0.0-rc2
HIGH7.3CVE-2024-42357Shopware vulnerable to blind SQL-injection in DAL aggregations from 0, < 6.5.8.13
from 0, < 6.4.10.1
MEDIUM6.5CVE-2021-37709Insecure direct object reference of log files of the Import/Export feature from 0, < 6.4.3.1
from 0, < 6.4.3.1
MEDIUM6.3CVE-2023-22730Shopware vulnerable to Improper Input Validation of Clearance sale in cart from 0, < 6.4.18.1
MEDIUM6.3CVE-2022-24747HTTP caching is marking private HTTP headers as public in Shopware from 0, < 6.4.8.2
MEDIUM6.1CVE-2022-24746HTML injection possibility in voucher code form in Shopware from 0, < 6.4.8.1
from 0, < 6.2.3
MEDIUM5.3CVE-2026-31888Shopware has user enumeration via distinct error codes on Store API login endpoint >= 6.7.0.0, < 6.7.8.1
MEDIUM5.3CVE-2025-32378Shopware default newsletter opt-in settings allow for mass sign-up abuse >= 6.6.0.0-rc1, < 6.6.10.3
MEDIUM5.3CVE-2025-30150Shopware 6 allows attackers to check for registered accounts through the store-api >= 6.6.0.0, < 6.6.10.3
MEDIUM5.3CVE-2024-42354Shopware vulnerable to Improper Access Control with ManyToMany associations in store-api from 0, < 6.5.8.13
MEDIUM5.3CVE-2024-31447Shopware Improper Session Handling in store-api account logout >= 6.3.5.0, < 6.5.8.8
from 0, < 6.5.7.4
MEDIUM4.9CVE-2021-32709Creation of order credits was not validated by acl in admin orders from 0, < 6.4.1.1
MEDIUM4.9CVE-2021-32709Creation of order credits was not validated by acl in admin orders from 0, < 6.4.1.1
MEDIUM4.8CVE-2022-24745Shopware guest session is shared between customers from 0, < 6.4.8.2
MEDIUM4.4CVE-2021-32716Internal hidden fields are visible on to many associations in admin api from 0, < 6.4.1.1
MEDIUM4.4CVE-2021-32716Internal hidden fields are visible on to many associations in admin api from 0, < 6.4.1.1
MEDIUM4.3CVE-2023-22734Shopware has Improper Input Validation issue in newsletter subscription from 0, < 6.4.18.1
LOW3.7CVE-2023-22732Shopware has Insufficient Session Expiration in Administration from 0, < 6.4.18.1
LOW2.7CVE-2023-22733Shopware's log module vulnerable to Improper Output Neutralization from 0, < 6.4.18.1
LOW2.6CVE-2022-24744Shopware user session is not logged out if the password is reset via password recovery from 0, < 6.4.8.1
—CVE-2026-31887Shopware: Unauthenticated data extraction possible through store-api.order endpoint >= 6.7.0.0, < 6.7.8.1
—CVE-2025-7954Shopware race condition bypasses voucher restrictions from 0, <= 6.6.10.4
from 0, < 6.3.5.2