PatchSiren cyber security CVE debrief
CVE-2026-48011 shopware CVE debrief
CVE-2026-48011 is a low-severity vulnerability in Shopware, a popular open commerce platform. The issue, with a CVSS score of 3.7, allows an attacker to enumerate the usernames of administrator users by performing a timing attack. This vulnerability was published on June 10, 2026, and modified on June 11, 2026. The attack requires no privileges (PR:N) and has a low impact on confidentiality (C:L). The vulnerability was fixed in versions 6.6.10.18 and 6.7.10.1 of Shopware.
- Vendor
- shopware
- Product
- Unknown
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Administrators and users of Shopware versions prior to 6.6.10.18 and 6.7.10.1 should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by an insecure implementation of user authentication in Shopware. An attacker can exploit this vulnerability by performing a timing attack to enumerate administrator usernames.
Defensive priority
Low
Recommended defensive actions
- Upgrade to Shopware version 6.6.10.18 or 6.7.10.1 or later.
- Implement additional security measures to prevent timing attacks, such as rate limiting and IP blocking.
Evidence notes
The vulnerability was reported by an unknown source and fixed by the Shopware development team. The CVE record was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-48011).
Official resources
CVE-2026-48011 was published on June 10, 2026, and modified on June 11, 2026.