Skip to main content

Shopware CVE-2026-48015

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-04 https://github.com/shopware/shopware GHSA-xvhc-gm7j-mhmc
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 04, 2026 - 20:02 vuln.today
Analysis Generated
Jun 04, 2026 - 20:02 vuln.today
CVE Published
Jun 04, 2026 - 19:35 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, <script>, <foreignObject>) executes in the context of the Shopware domain when accessed.

The Problem

In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:

yaml
allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]

SVG is whitelisted. The upload path (MediaUploadControllerFileSaverTypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.

A search of the entire codebase for SVG sanitization returns - no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.

Impact

Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.

Suggested Fix

Either:

  1. Remove SVG from allowed_extensions if SVG upload is not a core requirement
  2. Sanitize SVG content on upload using a library like enshrined/svg-sanitize (strips scripts, event handlers, external references)
  3. Serve SVGs with Content-Disposition: attachment to prevent inline rendering
  4. Serve SVGs from a separate domain (like Nextcloud's usercontent.apps.nextcloud.com)

Option 2 is the most practical - enshrined/svg-sanitize is already used by WordPress and other PHP projects.

Regards & BG, Keyvan Hardani

AnalysisAI

Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.

Technical ContextAI

SVG is an XML-based image format that the W3C specification allows to embed JavaScript via inline event handlers (onload, onmouseover), script elements, and foreignObject tags. Shopware (PHP, Composer packages shopware/core and shopware/platform) whitelists SVG in src/Core/Framework/Resources/config/packages/shopware.yaml at line 194 under allowed_extensions. The upload processing chain recognizes the format as a legitimate image type but lacks any XML parsing or sanitization step that would strip executable content before persisting the file. CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) is the root cause class: user-controlled data (SVG XML content) reaches the browser without sanitization, enabling stored script injection. Affected Composer packages are shopware/core and shopware/platform covering both the 6.6.x and 6.7.x release branches.

RemediationAI

Upgrade shopware/core and shopware/platform to version 6.6.10.18 (for 6.6.x deployments) or 6.7.10.1 (for 6.7.x deployments) - these are vendor-released patches confirmed by GitHub release tags at https://github.com/shopware/shopware/releases/tag/v6.6.10.18 and https://github.com/shopware/shopware/releases/tag/v6.7.10.1. If immediate upgrade is not feasible, three workarounds exist with distinct trade-offs: (1) Remove SVG from the allowed_extensions list in shopware.yaml - eliminates the attack surface entirely but breaks any store functionality relying on SVG image uploads; (2) Configure the web server to serve files under the media directory with the Content-Disposition: attachment header for SVG MIME types - forces downloads rather than inline rendering, preventing XSS execution, but disrupts legitimate SVG display use cases; (3) Restrict the media manager to highly trusted admin accounts only via ACL configuration - reduces exposure but does not eliminate it since the vulnerability requires only standard admin access. Adding the enshrined/svg-sanitize Composer library (already used by WordPress) for upload-time sanitization is noted as the most practical long-term fix per the advisory author.

CVE-2023-26482 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2020-8180 CRITICAL POC
9.9 Jun 08

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co

CVE-2023-48306 CRITICAL POC
9.8 Nov 21

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),

CVE-2016-9463 HIGH POC
8.1 Mar 28

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti

CVE-2023-31128 HIGH POC
8.8 May 26

NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2023-28643 HIGH POC
8.8 Mar 30

Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo

CVE-2021-22879 HIGH POC
8.8 Apr 14

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi

CVE-2019-12739 HIGH POC
8.8 Jun 05

lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi

CVE-2020-8259 HIGH POC
8.1 Nov 16

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the

CVE-2020-8121 HIGH POC
8.1 Feb 04

A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high

CVE-2020-8182 HIGH POC
8.0 Oct 05

Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss

CVE-2020-8224 HIGH POC
7.8 Aug 10

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi

Share

CVE-2026-48015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy