CVE-2026-48015 in ShopwareИнформация

Сводка

по MITRE • 17.07.2026

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowed_extensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from MediaUploadController to FileSaver to TypeDetector, allowing malicious SVG JavaScript such as onload, <script>, and <foreignObject> to execute in the Shopware domain when the uploaded SVG is viewed. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Ответственный

GitHub M

Резервировать

20.05.2026

Раскрытие

17.07.2026

Модерация

принято

Вход

VDB-379899

EPSS

0.00000

KEV

Нет

Деятельности

Низкий

Источники

Might our Artificial Intelligence support you?

Check our Alexa App!