CVE-2026-48011

LOW 3.7

Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

CWE	CWE-208
Vendor	shopware
Product	shopware
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for shopware shopware

Be the first to know when new low vulnerabilities affecting shopware shopware are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

shopware / shopware

>= 6.7.0.0, < 6.7.10.1 < 6.6.10.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw github.com: https://github.com/shopware/shopware/releases/tag/v6.6.10.18 github.com: https://github.com/shopware/shopware/releases/tag/v6.7.10.1