CVE-2026-48016 in Shopwareinformación

Resumen

por MITRE • 2026-07-17

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php without verifying order ownership or guest-order authentication, allowing a normal customer or guest context to trigger the payment flow for another user's order while /store-api/order enforces the expected ownership model. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsable

GitHub M

Reservar

2026-05-20

Divulgación

2026-07-17

Moderación

aceptado

Artículo

VDB-379898

CPE

listo

EPSS

0.00000

KEV

no

Actividades

muy bajo

Fuentes

Do you want to use VulDB in your project?

Use the official API to access entries easily!