Shopware · Shopware 6 · CVE-2025-51541
**Name of the Vulnerable Software and Affected Versions**
Shopware 6 (affected versions not specified)
**Description**
A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface. The `c database schema` field does not properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious JavaScript. This vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack due to the absence of CSRF protections on the POST request. An unauthenticated remote attacker can craft a malicious web page that, when visited by a victim, stores the payload persistently in the installation configuration. As a result, the payload executes whenever any user subsequently accesses the vulnerable installation page, leading to persistent client-side code execution. The vulnerable API endpoint is `/recovery/install/database-configuration/`. The vulnerable parameter is `c database schema`.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.