CVE-2025-51541

Name of the Vulnerable Software and Affected Versions Shopware 6 (affected versions not specified)

Description A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface. The c database schema field does not properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious JavaScript. This vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack due to the absence of CSRF protections on the POST request. An unauthenticated remote attacker can craft a malicious web page that, when visited by a victim, stores the payload persistently in the installation configuration. As a result, the payload executes whenever any user subsequently accesses the vulnerable installation page, leading to persistent client-side code execution. The vulnerable API endpoint is /recovery/install/database-configuration/. The vulnerable parameter is c database schema.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.