The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.

### Patches

Update to Shopware 6.6.5.1 or 6.5.8.13

### Workarounds

For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

### Credit

[LogicalTrust](https://logicaltrust.net)

Affected Packages

Packagist shopware/core

Affected versions: 0 (fixed in 6.5.8.13)

Packagist shopware/platform

Affected versions: 0 (fixed in 6.5.8.13)

Packagist shopware/platform

Affected versions: 6.6.0.0 (fixed in 6.6.5.1)

Packagist shopware/core

Affected versions: 6.6.0.0 (fixed in 6.6.5.1)

Related CVEs

CVE-2024-42357

Key Information

GHSA ID

GHSA-p6w9-r443-r752

Published

August 8, 2024 2:53 PM

Last Modified

November 18, 2024 4:27 PM

CVSS Score

5.0 /10

Primary Ecosystem

Packagist

Primary Package

shopware/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.