Search criteria
Related vulnerabilities
GHSA-XVHC-GM7J-MHMC
Vulnerability from github – Published: 2026-06-04 19:35 – Updated: 2026-06-04 19:35SVG files are in the allowed_extensions whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (onload, <script>, <foreignObject>) executes in the context of the Shopware domain when accessed.
The Problem
In src/Core/Framework/Resources/config/packages/shopware.yaml, line 194:
allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...]
SVG is whitelisted. The upload path (MediaUploadController → FileSaver → TypeDetector) recognizes SVG as ImageType with VECTOR_GRAPHIC flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.
A search of the entire codebase for SVG sanitization returns — no DOMPurify, no svg-sanitize, no strip_tags on SVG content, nothing.
Impact
Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.
Suggested Fix
Either:
- Remove SVG from
allowed_extensionsif SVG upload is not a core requirement - Sanitize SVG content on upload using a library like
enshrined/svg-sanitize(strips scripts, event handlers, external references) - Serve SVGs with
Content-Disposition: attachmentto prevent inline rendering - Serve SVGs from a separate domain (like Nextcloud's
usercontent.apps.nextcloud.com)
Option 2 is the most practical — enshrined/svg-sanitize is already used by WordPress and other PHP projects.
Regards & BG, Keyvan Hardani
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "6.7.0.0"
},
{
"fixed": "6.7.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "shopware/platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.10.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48015"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T19:35:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, `\u003cscript\u003e`, `\u003cforeignObject\u003e`) executes in the context of the Shopware domain when accessed.\n\n## The Problem\n\nIn `src/Core/Framework/Resources/config/packages/shopware.yaml`, line 194:\n\n```yaml\nallowed_extensions: [\"jpg\", \"jpeg\", \"png\", \"webp\", \"avif\", \"gif\", \"svg\", ...]\n```\n\nSVG is whitelisted. The upload path (`MediaUploadController` \u2192 `FileSaver` \u2192 `TypeDetector`) recognizes SVG as `ImageType` with `VECTOR_GRAPHIC` flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML.\n\nA search of the entire codebase for SVG sanitization returns \u2014 no `DOMPurify`, no `svg-sanitize`, no `strip_tags` on SVG content, nothing.\n\n## Impact\n\nStored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation.\n\n## Suggested Fix\n\nEither:\n\n1. **Remove SVG from `allowed_extensions`** if SVG upload is not a core requirement\n2. **Sanitize SVG content** on upload using a library like `enshrined/svg-sanitize` (strips scripts, event handlers, external references)\n3. **Serve SVGs with `Content-Disposition: attachment`** to prevent inline rendering\n4. **Serve SVGs from a separate domain** (like Nextcloud\u0027s `usercontent.apps.nextcloud.com`)\n\nOption 2 is the most practical \u2014 `enshrined/svg-sanitize` is already used by WordPress and other PHP projects.\n\nRegards \u0026 BG,\nKeyvan Hardani",
"id": "GHSA-xvhc-gm7j-mhmc",
"modified": "2026-06-04T19:35:26Z",
"published": "2026-06-04T19:35:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/security/advisories/GHSA-xvhc-gm7j-mhmc"
},
{
"type": "PACKAGE",
"url": "https://github.com/shopware/shopware"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.18"
},
{
"type": "WEB",
"url": "https://github.com/shopware/shopware/releases/tag/v6.7.10.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Shopware: Stored XSS via SVG file upload \u2014 no SVG sanitization"
}