This release includes 9 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
Summary
AI summaryUpdates Critical Fixes, System requirements, and https://github.com/shopware/shopware/security/advisories/GHSA-gv8p-48fr-4fxg across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
SVG uploads now validated against strict passive allowlist, rejecting active content. SVG uploads now validated against strict passive allowlist, rejecting active content. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
URL validation for `external-link` endpoint aligned with `upload-from-url` flow. URL validation for `external-link` endpoint aligned with `upload-from-url` flow. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-gv8p-48fr-4fxg] Privilege Escalation via Sync API Integration Admin Flag Bypass fixed. [GHSA-gv8p-48fr-4fxg] Privilege Escalation via Sync API Integration Admin Flag Bypass fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-8v9p-g828-v98f] Admin Account Takeover via User Recovery Hash Exposure fixed. [GHSA-8v9p-g828-v98f] Admin Account Takeover via User Recovery Hash Exposure fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-7w52-7jvm-m9vw] Timing attack on admin panel allowing enumeration of administrator usernames mitigated. [GHSA-7w52-7jvm-m9vw] Timing attack on admin panel allowing enumeration of administrator usernames mitigated. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-v39m-97p8-gqg7] Privilege escalation: non-admin user with `user:create` ACL can create admin accounts fixed. [GHSA-v39m-97p8-gqg7] Privilege escalation: non-admin user with `user:create` ACL can create admin accounts fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-4x3x-869w-xx3m] Shopware SSO referer trust leading to arbitrary redirect target mitigated. [GHSA-4x3x-869w-xx3m] Shopware SSO referer trust leading to arbitrary redirect target mitigated. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-f8q6-3g5w-jjr6] Admin API ACL Bypass in Order State Transition Endpoints fixed. [GHSA-f8q6-3g5w-jjr6] Admin API ACL Bypass in Order State Transition Endpoints fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-9v5m-39wh-5chq] Unauthorized Payment Trigger for Foreign Orders via `/store-api/handle-payment` fixed. [GHSA-9v5m-39wh-5chq] Unauthorized Payment Trigger for Foreign Orders via `/store-api/handle-payment` fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-xvhc-gm7j-mhmc] Stored XSS via SVG file upload - no SVG sanitization fixed. [GHSA-xvhc-gm7j-mhmc] Stored XSS via SVG file upload - no SVG sanitization fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Security | Medium |
[GHSA-gq96-5pfx-f4vc] SSRF in Media External-Link Endpoint Bypasses IP Validation fixed. [GHSA-gq96-5pfx-f4vc] SSRF in Media External-Link Endpoint Bypasses IP Validation fixed. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Feature | Medium |
Configuration options to adjust SVG allowlist elements, attributes, and reference attributes added. Configuration options to adjust SVG allowlist elements, attributes, and reference attributes added. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Dependency | Low |
Tested on PHP 8.2, 8.4, and 8.5. Tested on PHP 8.2, 8.4, and 8.5. Source: granite4.1:30b@2026-05-19-audit Confidence: low |
— |
| Dependency | Low |
Tested on MySQL 8 and MariaDB 11. Tested on MySQL 8 and MariaDB 11. Source: granite4.1:30b@2026-05-19-audit Confidence: low |
— |
| Deprecation | Medium |
`MediaUploadService::validateExternalUrl()` deprecated, replaced by `assertValidExternalUrl()`. `MediaUploadService::validateExternalUrl()` deprecated, replaced by `assertValidExternalUrl()`. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
Full changelog
System requirements
- tested on PHP
8.2,8.4and8.5 - tested on
MySQL 8andMariaDB 11
Critical Fixes
SVG uploads validate against a strict passive allowlist
SVG uploads in the media subsystem are now validated against a strict passive SVG allowlist before persistence.
Active content such as scripts, event handlers, processing instructions, external references, and URL-based references in attributes are rejected.
The default allowlist covers the W3C SVG2 presentation attribute set (https://www.w3.org/TR/SVG2/attindex.html#PresentationAttributes), ARIA accessibility attributes, the lang and xml:lang accessibility attributes, and the common safe structural elements a, image, marker, metadata, switch, symbol, and view. Anchor href / xlink:href references remain restricted to local document fragments (#id), so javascript:, data:, and remote URLs are rejected. Active content (scripts, event handlers, animations, foreign objects, processing instructions, DOCTYPEs, entities) and any external url(...) / @import references remain blocked regardless of the attribute that carries them.
The accepted SVG subset can be adjusted on installation level via shopware.media.svg.allowed_elements, shopware.media.svg.allowed_attributes, and shopware.media.svg.allowed_reference_attributes in shopware.yaml.
external-link endpoint URL validation aligned with upload-from-url
The URL validation for the external-link endpoint is now in line with the existing validation in the upload-from-url flow.
The static MediaUploadService::validateExternalUrl() is deprecated in favour of the new assertValidExternalUrl() method on the service.
See UPGRADE-6.8.md for migration details.
What's Changed
- GHSA-gv8p-48fr-4fxg - Privilege Escalation via Sync API Integration Admin Flag Bypass
- GHSA-8v9p-g828-v98f - Admin Account Takeover via User Recovery Hash Exposure
- GHSA-7w52-7jvm-m9vw - Timing-attack on admin panel allowing enumeration of administrator usernames
- GHSA-v39m-97p8-gqg7 - Privilege escalation: non-admin user with user:create ACL can create admin accounts
- GHSA-4x3x-869w-xx3m - Shopware SSO referer trust leading to an arbitrary redirect target
- GHSA-f8q6-3g5w-jjr6 - Admin API ACL Bypass in Order State Transition Endpoints
- GHSA-9v5m-39wh-5chq - Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
- GHSA-xvhc-gm7j-mhmc - Stored XSS via SVG file upload - no SVG sanitization
- GHSA-gq96-5pfx-f4vc - SSRF in Media External-Link Endpoint Bypasses IP Validation
Full Changelog: https://github.com/shopware/shopware/compare/v6.7.10.0...v6.7.10.1
Get in touch
Discuss about decisions, bugs you might stumble upon, etc in our community discord. See you there ;)
Breaking Changes
- Deprecation of `MediaUploadService::validateExternalUrl()` in favour of `assertValidExternalUrl()`
Security Fixes
- GHSA-gv8p-48fr-4fxg – Privilege Escalation via Sync API Integration Admin Flag Bypass
- GHSA-8v9p-g828-v98f – Admin Account Takeover via User Recovery Hash Exposure
- GHSA-7w52-7jvm-m9vw – Timing‑attack allowing enumeration of administrator usernames
- GHSA-v39m-97p8-gqg7 – Privilege escalation: non‑admin user with `user:create` ACL can create admin accounts
- GHSA-4x3x-869w-xx3m – Shopware SSO referer trust leading to arbitrary redirect target
- GHSA-f8q6-3g5w-jjr6 – Admin API ACL Bypass in Order State Transition Endpoints
- GHSA-9v5m-39wh-5chq – Unauthorized Payment Trigger for Foreign Orders via `/store-api/handle-payment`
- GHSA-xvhc-gm7j-mhmc – Stored XSS via SVG file upload (no sanitization)
- GHSA-gq96-5pfx-f4vc – SSRF in Media External‑Link Endpoint bypasses IP validation
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Shopware Community Edition
PHP based open source e-commerce software made in Germany.
Related context
Beta — feedback welcome: [email protected]