SQL Injection Vulnerability in Shopware Affected by Previous Security Issues
CVE-2025-27892

Currently unrated

Key Information:

Vendor: Shopware
Status: Shopware
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-27892?

A SQL injection vulnerability has been detected in the Shopware API, specifically in the /api/search/order endpoint. This issue affects versions prior to 6.5.8.13 and has arisen due to regressions linked to previously identified vulnerabilities (CVE-2024-22406 and CVE-2024-42357). Exploitation of this vulnerability could allow unauthorized access to sensitive data and manipulation of database queries, posing significant risks to affected systems.

References

https://github.com/shopware/shopware/security/advisories/...

https://www.redteam-pentesting.de/en/advisories/rt-sa-202...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Mar 10, 2025