GHSA-xvhc-gm7j-mhmc

Source

https://github.com/advisories/GHSA-xvhc-gm7j-mhmc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-xvhc-gm7j-mhmc/GHSA-xvhc-gm7j-mhmc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xvhc-gm7j-mhmc

Aliases

CVE-2026-48015

Published

2026-06-04T19:35:26Z

Modified

2026-06-04T19:45:08.783975989Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Shopware: Stored XSS via SVG file upload — no SVG sanitization

Details

SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, <script>, <foreignObject>) executes in the context of the Shopware domain when accessed.

The Problem

In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:

allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]

SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.

A search of the entire codebase for SVG sanitization returns — no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.

Impact

Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.

Suggested Fix

Either:

Remove SVG from allowed_extensions if SVG upload is not a core requirement
Sanitize SVG content on upload using a library like enshrined/svg-sanitize (strips scripts, event handlers, external references)
Serve SVGs with Content-Disposition: attachment to prevent inline rendering
Serve SVGs from a separate domain (like Nextcloud's usercontent.apps.nextcloud.com)

Option 2 is the most practical — enshrined/svg-sanitize is already used by WordPress and other PHP projects.

Regards & BG, Keyvan Hardani

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T19:35:26Z",
    "severity": "MODERATE",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware%2Fcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0

Fixed

6.7.10.1

Affected versions

v6.*

v6.7.0.0

v6.7.0.1

v6.7.1.0

v6.7.1.1

v6.7.1.2

v6.7.2.0

v6.7.2.1

v6.7.2.2

v6.7.3.0

v6.7.3.1

v6.7.4.0

v6.7.4.1

v6.7.4.2

v6.7.5.0

v6.7.5.1

v6.7.6.0

v6.7.6.1

v6.7.6.2

v6.7.7.0

v6.7.7.1

v6.7.8.0

v6.7.8.1

v6.7.8.2

v6.7.9.0

v6.7.9.1

v6.7.10.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-xvhc-gm7j-mhmc/GHSA-xvhc-gm7j-mhmc.json"

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware%2Fcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.10.18

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

v6.5.8.17

v6.5.8.18

v6.5.8.19

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

v6.6.10.3

v6.6.10.4

v6.6.10.5

v6.6.10.6

v6.6.10.7

v6.6.10.8

v6.6.10.9

v6.6.10.10

v6.6.10.11

v6.6.10.12

v6.6.10.13

v6.6.10.14

v6.6.10.15

v6.6.10.16

v6.6.10.17

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-xvhc-gm7j-mhmc/GHSA-xvhc-gm7j-mhmc.json"

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware%2Fplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0

Fixed

6.7.10.1

Affected versions

v6.*

v6.7.0.0

v6.7.0.1

v6.7.1.0

v6.7.1.1

v6.7.1.2

v6.7.2.0

v6.7.2.1

v6.7.2.2

v6.7.3.0

v6.7.3.1

v6.7.4.0

v6.7.4.1

v6.7.4.2

v6.7.5.0

v6.7.5.1

v6.7.6.0

v6.7.6.1

v6.7.6.2

v6.7.7.0

v6.7.7.1

v6.7.8.0

v6.7.8.1

v6.7.8.2

v6.7.9.0

v6.7.9.1

v6.7.10.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-xvhc-gm7j-mhmc/GHSA-xvhc-gm7j-mhmc.json"

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware%2Fplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.10.18

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

v6.5.8.17

v6.5.8.18

v6.5.8.19

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

v6.6.10.3

v6.6.10.4

v6.6.10.5

v6.6.10.6

v6.6.10.7

v6.6.10.8

v6.6.10.9

v6.6.10.10

v6.6.10.11

v6.6.10.12

v6.6.10.13

v6.6.10.14

v6.6.10.15

v6.6.10.16

v6.6.10.17

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-xvhc-gm7j-mhmc/GHSA-xvhc-gm7j-mhmc.json"