SVG File Upload Vulnerability in Shopware Open Commerce Platform
CVE-2026-48015

4.9MEDIUM

Key Information:

Vendor

Shopware

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48015?

Shopware is an open commerce platform that, prior to versions 6.6.10.18 and 6.7.10.1, allowed the upload of SVG files without proper content sanitization. This vulnerability allows malicious JavaScript embedded within SVG files to execute in the Shopware domain, potentially compromising the security of the website when such files are viewed. The issue has been addressed in the specified updates, reinforcing the importance of securing file uploads within web applications.

Affected Version(s)

platform < 6.6.10.18 < 6.6.10.18

platform >= 6.7.0.0, < 6.7.10.1 < 6.7.0.0, 6.7.10.1

shopware < 6.6.10.18 < 6.6.10.18

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.