CVE-2026-48011

Source
https://cve.org/CVERecord?id=CVE-2026-48011
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48011.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48011
Aliases
Published
2026-06-10T20:07:02.345Z
Modified
2026-07-15T01:49:12.571051657Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Details

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-208"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "6.6.10.18"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48011.json"
}
References

Affected packages

Git / github.com/shopware/shopware

Affected ranges

Type
GIT
Repo
https://github.com/shopware/shopware
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "6.7.0.0"
        },
        {
            "fixed": "6.7.10.1"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48011.json"