CVE-2026-48011

EPSS 0.22%
Veröffentlicht 10.06.2026 20:07:02
Zuletzt bearbeitet 11.06.2026 16:16:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellershopware

≫

Produkt shopware

Version >= 6.7.0.0, < 6.7.10.1

Status affected

Version < 6.6.10.18

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.127

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw

https://github.com/shopware/shopware/releases/tag/v6.6.10.18

https://github.com/shopware/shopware/releases/tag/v6.7.10.1

https://nvd.nist.gov/vuln/detail/CVE-2026-48011

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-48011

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-48011

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-48011