Is shopware/shopware affected by GHSA-9v82-vcjx-m76j#shopware/shopware?

Packagist shopware/shopware is affected in >=6.7.0.0 <6.7.2.1.

Is GHSA-9v82-vcjx-m76j#shopware/shopware being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

high

GHSA-9v82-vcjx-m76j#shopware/shopware

Q: Is GHSA-9v82-vcjx-m76j#shopware/shopware being exploited?

Not on the CISA KEV list. EPSS exploit probability is not available.

Packagist · shopware/shopware

Summary

Shopware: Reflective Cross Site-Scripting (XSS) in CMS components

Severity: high
Published: 2025-09-10

References

https://github.com/shopware/shopware/security/advisories/GHSA-9v82-vcjx-m76j
https://github.com/shopware/shopware/commit/12fb537c5ebe009f2a0f58b9c24dbd2d6b4c508f
https://github.com/shopware/shopware

Related advisories

GHSA-83jv-4prm-34g7 — critical · Packagist/shopware/shopware
GHSA-7336-ghhp-f2qj — critical · Packagist/shopware/shopware
GHSA-q3g4-2vw9-xv27 — critical · Packagist/shopware/shopware
CVE-2026-23498 — high · Packagist/shopware/shopware
CVE-2025-67648 — high · Packagist/shopware/shopware
GHSA-jqr7-5h7r-ch8p — medium · Packagist/shopware/shopware

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.