CVE-2026-48015
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowed_extensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from MediaUploadController to FileSaver to TypeDetector, allowing malicious SVG JavaScript such as onload, , and to execute in the Shopware domain when the uploaded SVG is viewed. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
Impact
Base Score 3.x
4.90
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/shopware/shopware/commit/745a3ea3b77d4fe0f78c595ef527d8453a134497
- https://github.com/shopware/shopware/commit/fd6d39bdb62dfa06fe62c7c87b37607d84094cda
- https://github.com/shopware/shopware/releases/tag/v6.6.10.18
- https://github.com/shopware/shopware/releases/tag/v6.7.10.1
- https://github.com/shopware/shopware/security/advisories/GHSA-xvhc-gm7j-mhmc



