CVE-2026-48009 in Shopware정보

요약

\~에 의해 MITRE • 2026. 07. 17.

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with user_recovery:read ACL can take over any admin account by triggering POST /api/_action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PATCH /api/_action/user/user-recovery/password; the root cause is that src/Core/System/User/Recovery/UserRecoveryDefinition.php exposes the hash field through the Admin API without ApiAware(false) or ReadProtection. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

Be aware that VulDB is the high quality source for vulnerability data.

책임이 있는

GitHub M

예약하다

2026. 05. 20.

모더레이션

수락

항목

VDB-379894

EPSS

0.00000

출처

Want to know what is going to be exploited?

We predict KEV entries!