CVE-2026-48011

Published: Jun 10, 2026Modified: Jun 11, 2026Deferred

3.7

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.2 / Impact: 1.4

Source: security-advisories@github.com (Secondary)

Description

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

Related CWEs

CWE-208

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (4)

https://github.com/shopware/shopware/releases/tag/v6.6.10.18

Source: security-advisories@github.com

https://github.com/shopware/shopware/releases/tag/v6.7.10.1

Source: security-advisories@github.com

https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw

Source: security-advisories@github.com

https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.