Stored XSS Vulnerability in Shopware 6 Installation Interface by Shopware
CVE-2025-51541

6.1MEDIUM

Key Information:

Vendor: Shopware
Status: Shopware 6
Vendor: CVE Published:; 5 August 2025

What is CVE-2025-51541?

A stored cross-site scripting (XSS) vulnerability in the installation interface of Shopware 6 allows attackers to execute malicious JavaScript code persistently. The vulnerability stems from the failure to sanitize user inputs in the c_database_schema field on the /recovery/install/database-configuration/ page. Moreover, the lack of cross-site request forgery (CSRF) protections in the associated POST request can be leveraged by an unauthenticated remote attacker to inject harmful scripts. When a victim visits an affected installation page, the stored payload executes, leading to potential unauthorized access and manipulation of user sessions.

References

https://www.dax-tokaido.com/recovery/install/database-con...

https://gist.github.com/anonx-hunter/a7ef32a01d7d888413b0...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 5, 2025
Vulnerability Reserved
Jun 16, 2025