Summary
Description
When an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user's web browser. This allows malicious actors to perform malicious actions in the name of that user. XSS can be divided into three variants: Persistent XSS, Reflective XSS and DOM-based XSS. In Reflective XSS, a malicious actor injects malicious JavaScript code into a URL. Every time the user visits this URL, the JavaScript code is executed in the user’s browser.
Applicability
Due to a lack of input validation, the Shopware application contain XSS vulnerabilities. The JavaScript variable 'activeRouteParameters' lacks input validation, which makes it vulnerable to XSS attacks at the following endpoints:
- /page/cms/*
- /widget/cms/*
The lack of input validation enables malicious actors to inject harmful JavaScript-code into the affected pages. When a user visits the page, the code is executed within the user’s web browser. This enables malicious actors to perform (harmful) actions on behalf of the affected user. No user account is required to exploit this vulnerability.
Reproduction
To reproduce this vulnerability, the steps below can be followed.
- Navigate to the URL below containing the XSS payload:
https://pentest-saas-2025-2.shopware.store/page/cms/'+alert('REQON')+' - Observe that a pop-up is shown indicating that the JavaScript code has been executed.
Workarounds
For older versions of 6.7, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Impact
By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user.
Some examples of this include, but are not limited to:
- Obtaining user session tokens.
- Performing administrative actions (when an administrative user is affected).
These vulnerabilities pose a high security risk. Since a sensitive cookie is not configured with the HttpOnly attribute and administrator JWTs are stored in sessionStorage, any successful XSS attack could enable the theft of session cookies and administrative tokens.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
GHSA-9V82-VCJX-M76J has a CVSS score of 8.8 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (6.7.2.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
shopware/shopware to 6.7.2.1 or later; shopware/core to 6.7.2.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-9V82-VCJX-M76J? GHSA-9V82-VCJX-M76J is a high-severity cross-site scripting (XSS) vulnerability in shopware/shopware (composer), affecting versions >= 6.7.0.0, < 6.7.2.1. It is fixed in 6.7.2.1. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is GHSA-9V82-VCJX-M76J? GHSA-9V82-VCJX-M76J has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by GHSA-9V82-VCJX-M76J?
shopware/shopware(composer) (versions >= 6.7.0.0, < 6.7.2.1)shopware/core(composer) (versions >= 6.7.0.0, < 6.7.2.1)
- Is there a fix for GHSA-9V82-VCJX-M76J? Yes. GHSA-9V82-VCJX-M76J is fixed in 6.7.2.1. Upgrade to this version or later.
- Is GHSA-9V82-VCJX-M76J exploitable, and should I be worried? Whether GHSA-9V82-VCJX-M76J is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-9V82-VCJX-M76J is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-9V82-VCJX-M76J?
- Upgrade
shopware/shopwareto 6.7.2.1 or later - Upgrade
shopware/coreto 6.7.2.1 or later
- Upgrade