GHSA-6WH5-MW9H-5C3W

GHSA-6WH5-MW9H-5C3W is a low-severity path traversal vulnerability in shopware/platform (composer), affecting versions >= 6.7.0.0, < 6.7.3.1. It is fixed in 6.7.3.1, 6.6.10.7.

Summary

Description

A path traversal vulnerability allows malicious actors to access files and folders that are outside the folder structure accessible to the affected function. This vulnerability occurs when an application uses unfiltered user input to point to the path of a specific file and retrieve it. This can result in gaining read/write access to sensitive information, application code, back-end systems and other (critical) files on the operating system. In certain cases, it is even possible to store arbitrary files outside the relevant directory structure on the server in order to gain access to the server.

Applicability

The Plugin upload function in use by the Shopware application is vulnerable to path traversal.
Within the on-premises version of the Shopware application users are able to extend the functionality of the application by installing ‘plugins’ also referred to as ‘apps’ or ‘extensions’. These plugins can be installed using the official store or by uploading a zip file containing the required files. To prevent path traversal the Shopware application implements a check that effectively prohibits files containing ‘..’ characters from being uploaded. During review of the source code, it was noticed that the check for the prohibited characters was only performed from the third entry (index 2) of the uploaded Zip file. This means that the second entry (index 1) within the Zip file can contain path traversal characters and thus allows files to be written in
directories outside of the intended plugins folder.

To exploit this vulnerability, an admin account with permissions to upload plugins, is required.

Reproduction

To reproduce this vulnerability, the steps below can be followed.

  1. Log in to an on-premises Shopware application with an admin account with permissions to
    upload plugins.
  2. Create a malicious Zip file using the script provided in evidence 5.
  3. Upload the generated malicious Zip file as a new plugin within the application
  4. Access the filesystem of the Shopware application
  5. Navigate to the path below:
    /var/www/html/custom/apps
  6. Notice that an ‘evil.php’ file has been extracted within this folder.

Impact

Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web container. This could allow them to gain persistent shell access by uploading a PHP-shell file to an accessible folder.

It is important to note that this vulnerability is only present on on-premises installation of Shopware and not present on the SaaS installation due to additional security checks being implemented on the uploaded plugin files.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

GHSA-6WH5-MW9H-5C3W has a CVSS score of 2.7 (Low). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.7.3.1, 6.6.10.7); upgrading removes the vulnerable code path.

Affected versions

shopware/platform (>= 6.7.0.0, < 6.7.3.1) shopware/platform (< 6.6.10.7) shopware/core (>= 6.7.0.0, < 6.7.3.1) shopware/core (< 6.6.10.7)

Security releases

shopware/platform → 6.7.3.1 (composer) shopware/platform → 6.6.10.7 (composer) shopware/core → 6.7.3.1 (composer) shopware/core → 6.6.10.7 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

shopware/platform to 6.7.3.1 or later; shopware/platform to 6.6.10.7 or later; shopware/core to 6.7.3.1 or later; shopware/core to 6.6.10.7 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-6WH5-MW9H-5C3W? GHSA-6WH5-MW9H-5C3W is a low-severity path traversal vulnerability in shopware/platform (composer), affecting versions >= 6.7.0.0, < 6.7.3.1. It is fixed in 6.7.3.1, 6.6.10.7. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is GHSA-6WH5-MW9H-5C3W? GHSA-6WH5-MW9H-5C3W has a CVSS score of 2.7 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by GHSA-6WH5-MW9H-5C3W?
    • shopware/platform (composer) (versions >= 6.7.0.0, < 6.7.3.1)
    • shopware/core (composer) (versions >= 6.7.0.0, < 6.7.3.1)
  4. Is there a fix for GHSA-6WH5-MW9H-5C3W? Yes. GHSA-6WH5-MW9H-5C3W is fixed in 6.7.3.1, 6.6.10.7. Upgrade to this version or later.
  5. Is GHSA-6WH5-MW9H-5C3W exploitable, and should I be worried? Whether GHSA-6WH5-MW9H-5C3W is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-6WH5-MW9H-5C3W is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-6WH5-MW9H-5C3W?
    • Upgrade shopware/platform to 6.7.3.1 or later
    • Upgrade shopware/platform to 6.6.10.7 or later
    • Upgrade shopware/core to 6.7.3.1 or later
    • Upgrade shopware/core to 6.6.10.7 or later

Other vulnerabilities in shopware/platform

CVE-2026-48013CVE-2026-48015CVE-2026-48016CVE-2026-48014CVE-2026-48012

Stop the waste.
Protect your environment with Kodem.