Stevenseeley

**Name of the Vulnerable Software and Affected Versions** Shopware versions prior to 5.7 **Description** A PHP object instantiation issue in Shopware allows a crafted web request to trigger an arbitrary deserialization, potentially leading to remote code execution if the right class is instantiated. This issue bypasses a previous whitelist patch. **Recommendations** For versions prior to 5.7, update to version 5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `createInstanceFromNamedArguments` function to minimize the risk of exploitation.