CVE-2026-48015
Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-79
Neutralización incorrecta de la entrada durante la generación de la página web (Cross-site Scripting)
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026
Descripción
*** Pendiente de traducción *** Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, SVG files are in the allowed_extensions whitelist in src/Core/Framework/Resources/config/packages/shopware.yaml and can be uploaded via the media manager without SVG content sanitization in the upload pipeline from MediaUploadController to FileSaver to TypeDetector, allowing malicious SVG JavaScript such as onload, , and to execute in the Shopware domain when the uploaded SVG is viewed. This issue is fixed in versions 6.6.10.18 and 6.7.10.1.
Impacto
Puntuación base 3.x
4.90
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/shopware/shopware/commit/745a3ea3b77d4fe0f78c595ef527d8453a134497
- https://github.com/shopware/shopware/commit/fd6d39bdb62dfa06fe62c7c87b37607d84094cda
- https://github.com/shopware/shopware/releases/tag/v6.6.10.18
- https://github.com/shopware/shopware/releases/tag/v6.7.10.1
- https://github.com/shopware/shopware/security/advisories/GHSA-xvhc-gm7j-mhmc



