shopware/core
php · shopware/coreHeads-up
shopware/core: Open redirect via Referer header in SSO endpoint
The public SSO entry point at GET /api/oauth/sso/auth uses the Referer header as a fallback redirect destination when the expected
09 Jun 2026 · schedule it
php · shopware/coreHeads-up
shopware/core: SVG uploads allow stored XSS
SVG files are allowed in the media manager upload whitelist but are not sanitized, enabling stored XSS via malicious SVG content.
09 Jun 2026 · schedule it
php · shopware/coreHeads-up
shopware/core: Missing IP validation in /api/_action/media/external-link endpoint
The `/api/_action/media/external-link` endpoint in Shopware's core allows authenticated admin users to make server-side HTTP HEAD
09 Jun 2026 · schedule it