The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” **in nested** object is vulnerable SQL-injection and can be exploited using SQL parameters.

### Patches

Update to Shopware 6.6.10.3

### Workarounds

For older versions of 6.5 or 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

### Credit

[Redteam Pentesting](https://www.redteam-pentesting.de/)

Affected Packages

Packagist shopware/core

Affected versions: 6.7.0.0-rc1 (fixed in 6.7.0.0-rc2)

Packagist shopware/platform

Affected versions: 6.7.0.0-rc1 (fixed in 6.7.0.0-rc2)

Packagist shopware/core

Affected versions: 6.6.0.0 (fixed in 6.6.10.3)

Packagist shopware/platform

Affected versions: 6.6.0.0 (fixed in 6.6.10.3)

Packagist shopware/core

Affected versions: 0 (fixed in 6.5.8.18)

Packagist shopware/platform

Affected versions: 0 (fixed in 6.5.8.18)

Related CVEs

CVE-2025-27892

Key Information

GHSA ID

GHSA-8g35-7rmw-7f59

Published

April 8, 2025 4:33 PM

Last Modified

May 12, 2025 10:18 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

shopware/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 25, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.