CoreShop

v4.1.11 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

commerce commerce-engine coreshop e-commerce ecommerce ecommerce-platform

+4 more

pimcore pimcore-ecommerce pimcore-plugin shop

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 1d

Version 4.1.11 of CoreShop resolves critical password‑reset vulnerabilities and upgrades order token generation to use a CSPRNG.

Why it matters: Addresses user enumeration, weak tokens, plaintext storage, missing TTL in password reset (severity 90) and improves entropy with 32‑char CSPRNG tokens for order tokens (severity 40).

Summary

AI summary

Fixes multiple critical password‑reset vulnerabilities and enhances order token entropy using a CSPRNG.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes password reset security issues: user enumeration, weak tokens, plaintext storage, missing TTL Fixes password reset security issues: user enumeration, weak tokens, plaintext storage, missing TTL Source: llm_adapter@2026-06-02 Confidence: high	—
Bugfix	Medium	Fixes order token generator entropy using CSPRNG and 32-char tokens Fixes order token generator entropy using CSPRNG and 32-char tokens Source: llm_adapter@2026-06-02 Confidence: high	—
Refactor	Low	Refactors OpenSearchWorker delete methods for index operations Refactors OpenSearchWorker delete methods for index operations Source: llm_adapter@2026-06-02 Confidence: high	—
Other	Medium	Backports passwordResetHashCreatedAt user migration from 2026.x version Backports passwordResetHashCreatedAt user migration from 2026.x version Source: llm_adapter@2026-06-02 Confidence: low	—

Full changelog

What's Changed

Fix order token generator entropy using CSPRNG and 32-char tokens by @Copilot in https://github.com/coreshop/CoreShop/pull/2964
Fix password reset security: user enumeration, weak tokens, plaintext storage, missing TTL by @Copilot in https://github.com/coreshop/CoreShop/pull/2961
backport passwordResetHashCreatedAt user migration from 2026.x by @dpfaffenbauer in https://github.com/coreshop/CoreShop/pull/3008
[IndexBundle] OpenSearchWorker: Refactor delete methods for index operations by @aarongerig in https://github.com/coreshop/CoreShop/pull/3028

Full Changelog: https://github.com/coreshop/CoreShop/compare/4.1.10...4.1.11

Security Fixes

Fix password reset security: eliminates user enumeration, uses strong CSPRNG tokens with TTL, removes plaintext storage

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track CoreShop

Get notified when new releases ship.

About CoreShop

E-commerce plugin for Pimcore.

All releases →