GHSA-7vvp-j573-5584

Source

https://github.com/advisories/GHSA-7vvp-j573-5584

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7vvp-j573-5584

Aliases

CVE-2026-31887

Published

2026-03-11T19:23:43Z

Modified

2026-03-13T11:30:59.070466Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator

Summary

Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Details

Summary

An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint.

Details

Data Exposure

Depending on the order payload configuration, attackers may retrieve: - Customer names - Billing address - Shipping address - Email addresses - Ordered products - Order values - Order numbers - Order dates - Payment method information - Shipping method information - More customs, depending on the given associations in the request

Security Impact

This vulnerability allows: - Unauthorized access to foreign customer order data - Mass enumeration of recent orders - Potential scraping of customer personal information

Limitation

No limitation, but only orders from the past 30 days are checked for changeable means of payment (unrelated).

Impact

The code is present since ~2021. Likely every version since then is impacted for every store.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-03-11T19:16:04Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed_at": "2026-03-11T19:23:43Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0

Fixed

6.7.8.1

Affected versions

v6.*

v6.7.0.0

v6.7.0.1

v6.7.1.0

v6.7.1.1

v6.7.1.2

v6.7.2.0

v6.7.2.1

v6.7.2.2

v6.7.3.0

v6.7.3.1

v6.7.4.0

v6.7.4.1

v6.7.4.2

v6.7.5.0

v6.7.5.1

v6.7.6.0

v6.7.6.1

v6.7.6.2

v6.7.7.0

v6.7.7.1

v6.7.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json"

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.10.15

Affected versions

v6.*

v6.0.0+ea2

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

v6.5.8.17

v6.5.8.18

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

v6.6.10.3

v6.6.10.4

v6.6.10.5

v6.6.10.6

v6.6.10.7

v6.6.10.8

v6.6.10.9

v6.6.10.10

v6.6.10.11

v6.6.10.12

v6.6.10.13

v6.6.10.14

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json"

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0.0

Fixed

6.7.8.1

Affected versions

v6.*

v6.7.0.0

v6.7.0.1

v6.7.1.0

v6.7.1.1

v6.7.1.2

v6.7.2.0

v6.7.2.1

v6.7.2.2

v6.7.3.0

v6.7.3.1

v6.7.4.0

v6.7.4.1

v6.7.4.2

v6.7.5.0

v6.7.5.1

v6.7.6.0

v6.7.6.1

v6.7.6.2

v6.7.7.0

v6.7.7.1

v6.7.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json"

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.6.10.15

Affected versions

v6.*

v6.0.0+dp1

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.2.0-RC1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

v6.5.8.8

v6.5.8.9

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.13

v6.5.8.14

v6.5.8.15

v6.5.8.16

v6.5.8.17

v6.5.8.18

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

v6.6.1.0

v6.6.1.1

v6.6.1.2

v6.6.2.0

v6.6.3.0

v6.6.3.1

v6.6.4.0

v6.6.4.1

v6.6.5.0

v6.6.5.1

v6.6.6.0

v6.6.6.1

v6.6.7.0

v6.6.7.1

v6.6.8.0

v6.6.8.1

v6.6.8.2

v6.6.9.0

v6.6.10.0

v6.6.10.1

v6.6.10.2

v6.6.10.3

v6.6.10.4

v6.6.10.5

v6.6.10.6

v6.6.10.7

v6.6.10.8

v6.6.10.9

v6.6.10.10

v6.6.10.11

v6.6.10.12

v6.6.10.13

v6.6.10.14

6.*

6.3.0.0

6.3.0.1

6.3.0.2

6.3.1.0

6.3.1.1

6.3.2.0

6.3.2.1

6.3.3.0

6.3.3.1

6.3.4.0

6.3.4.1

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json"