CVE-2026-48015
Deferred Deferred - Pending Action

Stored XSS in Shopware via Malicious SVG Upload

Vulnerability report for CVE-2026-48015, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowed_extensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from MediaUploadController to FileSaver to TypeDetector, allowing malicious SVG JavaScript such as onload, <script>, and <foreignObject> to execute in the Shopware domain when the uploaded SVG is viewed. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 9 associated CPEs
Vendor Product Version / Range
shopware shopware to 6.7.10.1 (exc)
shopware shopware to 6.6.10.18 (exc)
shopware shopware From 6.6.10.0 (inc) to 6.6.10.17 (inc)
shopware shopware From 6.7.0.0 (inc) to 6.7.10.1 (exc)
shopware shopware to 6.7.10.0 (inc)
shopware shopware 6.7.10.1
shopware shopware 6.6.10.18
shopware shopware From 6.7.0.0 (inc) to 6.7.10.0 (inc)
shopware shopware 6.7.10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48015 is a stored cross-site scripting (XSS) vulnerability in Shopware, an e-commerce platform. SVG files can be uploaded without sanitization, allowing malicious JavaScript like onload handlers or script tags to execute when the SVG is viewed in the Shopware domain. This affects versions 6.7.0.0 to 6.7.10.0 and 6.6.10.0 to 6.6.10.17.

Detection Guidance

Check for unauthorized SVG uploads in the media manager. Review server logs for suspicious SVG files containing JavaScript or event handlers like onload. Use commands like grep to search for uploaded SVGs with script tags or event handlers in the media directory.

Impact Analysis

An attacker could upload a malicious SVG file to gain admin account access, steal customer data, or install malicious plugins. Users viewing the SVG may unknowingly execute embedded JavaScript, leading to unauthorized actions or data exposure.

Compliance Impact

This vulnerability could lead to unauthorized data access or theft, violating GDPR (data protection) and HIPAA (health data privacy) requirements. Organizations may face compliance breaches if customer or patient data is compromised through this exploit.

Mitigation Strategies

Upgrade Shopware to versions 6.6.10.18 or 6.7.10.1 or later. Remove SVG from allowed file extensions in shopware.yaml. Sanitize SVG content during upload using a library like enshrined/svg-sanitize. Serve SVGs with Content-Disposition: attachment or host them on a separate domain.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart