CVE-2025-32378

Name of the Vulnerable Software and Affected Versions: Shopware versions prior to 6.6.10.3 Shopware versions prior to 6.5.8.17

Description: The issue concerns the default settings for double-opt-in in Shopware, which allows for mass unsolicited newsletter sign-ups without confirmation. Specifically, with the default settings of Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled, anyone can register an account and sign up for the newsletter without needing to confirm via a link. The recipient receives confirmation emails but is set to “instantly active” in the backend.

Recommendations: For versions prior to 6.6.10.3, update to version 6.6.10.3 or later. For versions prior to 6.5.8.17, update to version 6.5.8.17 or later.