User Impersonation Affecting shopware/core package, versions <6.6.10.18>=6.7.0.0, <6.7.10.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-SHOPWARECORE-17660404
  • published27 Jun 2026
  • disclosed4 Jun 2026
  • creditUnknown

Introduced: 4 Jun 2026

NewCVE-2026-48016  (opens in a new tab)
CWE-290  (opens in a new tab)

How to fix?

Upgrade shopware/core to version 6.6.10.18, 6.7.10.1 or higher.

Overview

shopware/core is a Shopware platform is the core for all Shopware ecommerce products.

Affected versions of this package are vulnerable to User Impersonation via the handle-payment endpoint. An attacker can trigger payment flows for orders belonging to other users by supplying a valid foreign orderId, potentially causing unauthorized payment attempts and disrupting order and payment processing integrity.

CVSS Base Scores

version 4.0
version 3.1