GHSA-27C9-VP3W-6WW8

GHSA-27C9-VP3W-6WW8 is a medium-severity security vulnerability in shopware/platform (composer), affecting versions >= 6.7.0.0, < 6.7.3.1. It is fixed in 6.7.3.1, 6.6.10.7.

Summary

Description

Sensitive information disclosure occurs when an application inadvertently displays sensitive information to its users. Depending on the context, websites can leak all kinds of information including:
• Data regarding other users, such as usernames and/or e-mail addresses
• Sensitive commercial data such as customer names
• Technical details about the website and/or the underlying infrastructure
Disclosing technical details, such as detailed version information, allows malicious actors to look for targeted vulnerabilities and/or misconfigurations in the application or in the underlying infrastructure. In addition, an application is more likely to be targeted by attacks that specifically target a particular version of the software used.

Applicability

The Shopware application exposes sensitive information to users within the export section.
The Shopware application allows admins to import and export data within the application. To do this import/export profiles can be created. These profiles tell the application which tables within the database map to which columns in the generated file. During testing it was noticed that sensitive information such as password hashes or reset codes can also be included within the export. This can be done by creating a custom mapping that includes these fields within the export.
To exploit this vulnerability, an account with permissions to create import/export profiles and to create exports, is required.

Reproduction

To reproduce this vulnerability, the steps below can be followed.

  1. Log in to Shopware application with an admin account capable of creating import/export profiles and creating exports
  2. Create a new import/export profile
  3. Add a new mapping for the ‘password’ database entry
  4. Create an export using the new profile
  5. Notice that the password hashes of the users are available within the export file.

Impact

Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashes and recovery tokens of administrator-level accounts, which increases
the potential impact.
This risk is noteworthy because users may reuse the same or similar passwords across different services. In such cases, exposed hashes could allow attackers to recover credentials that might also be valid outside of Shopware.

GHSA-27C9-VP3W-6WW8 has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.7.3.1, 6.6.10.7); upgrading removes the vulnerable code path.

Affected versions

shopware/platform (>= 6.7.0.0, < 6.7.3.1) shopware/platform (< 6.6.10.7) shopware/core (>= 6.7.0.0, < 6.7.3.1) shopware/core (< 6.6.10.7)

Security releases

shopware/platform → 6.7.3.1 (composer) shopware/platform → 6.6.10.7 (composer) shopware/core → 6.7.3.1 (composer) shopware/core → 6.6.10.7 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

shopware/platform to 6.7.3.1 or later; shopware/platform to 6.6.10.7 or later; shopware/core to 6.7.3.1 or later; shopware/core to 6.6.10.7 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-27C9-VP3W-6WW8? GHSA-27C9-VP3W-6WW8 is a medium-severity security vulnerability in shopware/platform (composer), affecting versions >= 6.7.0.0, < 6.7.3.1. It is fixed in 6.7.3.1, 6.6.10.7.
  2. How severe is GHSA-27C9-VP3W-6WW8? GHSA-27C9-VP3W-6WW8 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by GHSA-27C9-VP3W-6WW8?
    • shopware/platform (composer) (versions >= 6.7.0.0, < 6.7.3.1)
    • shopware/core (composer) (versions >= 6.7.0.0, < 6.7.3.1)
  4. Is there a fix for GHSA-27C9-VP3W-6WW8? Yes. GHSA-27C9-VP3W-6WW8 is fixed in 6.7.3.1, 6.6.10.7. Upgrade to this version or later.
  5. Is GHSA-27C9-VP3W-6WW8 exploitable, and should I be worried? Whether GHSA-27C9-VP3W-6WW8 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-27C9-VP3W-6WW8 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-27C9-VP3W-6WW8?
    • Upgrade shopware/platform to 6.7.3.1 or later
    • Upgrade shopware/platform to 6.6.10.7 or later
    • Upgrade shopware/core to 6.7.3.1 or later
    • Upgrade shopware/core to 6.6.10.7 or later

Other vulnerabilities in shopware/platform

CVE-2026-48013CVE-2026-48015CVE-2026-48016CVE-2026-48014CVE-2026-48012

Stop the waste.
Protect your environment with Kodem.