Description
Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter, waitTime, which lacks proper input validation. This issue is fixed in versions 6.6.10.10 and 6.7.5.1.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2
Scores
CVSS v3
7.1
EPSS
0.0002
EPSS Percentile
5.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (5)
shopware/shopware
6.4.6.0 - 6.6.10.10Packagist
shopware/shopware
6.4.6.0 - 6.6.10.10
shopware/shopware
>= 6.4.6.0, < 6.6.10.10
shopware/shopware
>= 6.7.0.0, < 6.7.5.1
shopware/storefront
6.4.6.0 - 6.6.10.10Packagist
Published
Dec 11, 2025
Tracked Since
Feb 18, 2026