Server-side Request Forgery (SSRF) Affecting shopware/core package, versions >=6.7.0.0, <6.7.10.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-SHOPWARECORE-17660409
  • published27 Jun 2026
  • disclosed4 Jun 2026
  • creditUnknown

Introduced: 4 Jun 2026

NewCVE-2026-48013  (opens in a new tab)
CWE-918  (opens in a new tab)

How to fix?

Upgrade shopware/core to version 6.7.10.1 or higher.

Overview

shopware/core is a Shopware platform is the core for all Shopware ecommerce products.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the external-link process. An attacker can access internal network resources and cloud metadata endpoints by supplying crafted URLs to the affected endpoint, which performs server-side HTTP HEAD requests without proper IP validation. This enables the attacker to probe internal services, scan internal networks, and leak information such as content-length headers from internal or cloud services. Redirects may also be followed, allowing further escalation through attacker-controlled servers.

CVSS Base Scores

version 4.0
version 3.1