Mass Newsletter Sign-Up Vulnerability in Shopware E-commerce Platform
CVE-2025-32378

6.9MEDIUM

Key Information:

Vendor: Shopware
Status: Shopware
Vendor: CVE Published:; 9 April 2025

What is CVE-2025-32378?

The Shopware e-commerce platform, prior to versions 6.6.10.3 and 6.5.8.17, is affected by a vulnerability that allows for mass unsolicited newsletter sign-ups. This occurs due to default configurations that enable the double opt-in feature for newsletters but leave certain options disabled, such as the requirement for email confirmation for newsletter subscriptions. As a result, users can register accounts with any email address and subscribe to newsletters without needing to verify their email. This flaw can lead to misuse for spam and other malicious activities. Users are advised to update to the patched versions to secure their platforms.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

shopware < 6.5.8.17 < 6.5.8.17

shopware >= 6.6.0.0, < 6.6.10.3 < 6.6.0.0, 6.6.10.3

shopware >= 6.7.0.0-rc1, < 6.7.0.0-rc2 < 6.7.0.0-rc1, 6.7.0.0-rc2

References

https://github.com/shopware/shopware/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Apr 9, 2025
Vulnerability Reserved
Apr 6, 2025

JSON

Shopware

What is CVE-2025-32378?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.