CVE-2025-27892

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.3 Shopware versions prior to 6.5.8.17

Description The Shopware application API contains a search functionality that enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" object is vulnerable to SQL injection and can be exploited using SQL parameters.

Recommendations Update to Shopware 6.6.10.3 or 6.5.8.17 to resolve the issue. For older versions of 6.4, consider installing a security plugin to mitigate the risk. As a temporary workaround, consider restricting access to the vulnerable search functionality until a patch is applied.