Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability in the /api/search/order endpoint. NOTE: this issue exists because of a CVE-2024-22406 and CVE-2024-42357 regression.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27892.json",
"cna_assigner": "mitre"
}{
"cpe": [
"cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*",
"cpe:2.3:a:shopware:shopware:6.7.0.0:rc1:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "6.5.8.17"
},
{
"introduced": "6.6.0.0"
},
{
"fixed": "6.6.10.3"
},
{
"introduced": "6.7.0.0-rc1"
},
{
"last_affected": "6.7.0.0-rc1"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}