Shopware CVE-2026-48015
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, <script>, <foreignObject>) executes in the context of the Shopware domain when accessed.
The Problem
In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:
allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.
A search of the entire codebase for SVG sanitization returns - no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.
Impact
Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.
Suggested Fix
Either:
- Remove SVG from
allowed_extensionsif SVG upload is not a core requirement - Sanitize SVG content on upload using a library like
enshrined/svg-sanitize(strips scripts, event handlers, external references) - Serve SVGs with
Content-Disposition: attachmentto prevent inline rendering - Serve SVGs from a separate domain (like Nextcloud's
usercontent.apps.nextcloud.com)
Option 2 is the most practical - enshrined/svg-sanitize is already used by WordPress and other PHP projects.
Regards & BG, Keyvan Hardani
AnalysisAI
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
Technical ContextAI
SVG is an XML-based image format that the W3C specification allows to embed JavaScript via inline event handlers (onload, onmouseover), script elements, and foreignObject tags. Shopware (PHP, Composer packages shopware/core and shopware/platform) whitelists SVG in src/Core/Framework/Resources/config/packages/shopware.yaml at line 194 under allowed_extensions. The upload processing chain recognizes the format as a legitimate image type but lacks any XML parsing or sanitization step that would strip executable content before persisting the file. CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) is the root cause class: user-controlled data (SVG XML content) reaches the browser without sanitization, enabling stored script injection. Affected Composer packages are shopware/core and shopware/platform covering both the 6.6.x and 6.7.x release branches.
RemediationAI
Upgrade shopware/core and shopware/platform to version 6.6.10.18 (for 6.6.x deployments) or 6.7.10.1 (for 6.7.x deployments) - these are vendor-released patches confirmed by GitHub release tags at https://github.com/shopware/shopware/releases/tag/v6.6.10.18 and https://github.com/shopware/shopware/releases/tag/v6.7.10.1. If immediate upgrade is not feasible, three workarounds exist with distinct trade-offs: (1) Remove SVG from the allowed_extensions list in shopware.yaml - eliminates the attack surface entirely but breaks any store functionality relying on SVG image uploads; (2) Configure the web server to serve files under the media directory with the Content-Disposition: attachment header for SVG MIME types - forces downloads rather than inline rendering, preventing XSS execution, but disrupts legitimate SVG display use cases; (3) Restrict the media manager to highly trusted admin accounts only via ACL configuration - reduces exposure but does not eliminate it since the vulnerability requires only standard admin access. Adding the enshrined/svg-sanitize Composer library (already used by WordPress) for upload-time sanitization is noted as the most practical long-term fix per the advisory author.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xvhc-gm7j-mhmc