CVE-2025-67648: Shopware Storefront Reflected XSS in Storefront Login Page

December 9, 2025 (updated December 11, 2025)

A request parameter from the URL of the login page is directly rendered within the Twig template of the Storefront login page without further processing or input validation. This allows direct code injection into the template via the URL parameter. An attacker can create malicious links that could be used in a phishing attack. The parameter waitTime lacks proper input validation.

The attack can be tested with the following URL pattern:

/account/login?loginError=1&waitTime=<a%20href%3D"https%3A%2F%2Fde.wikipedia.org%2Fwiki%2FPhishing">Here<%2Fa>

The same applies to the errorSnippet parameter:

References

github.com/advisories/GHSA-6w82-v552-wjw2
github.com/shopware/shopware
github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58
github.com/shopware/shopware/security/advisories/GHSA-6w82-v552-wjw2
nvd.nist.gov/vuln/detail/CVE-2025-67648

Code Behaviors & Features

Detect and mitigate CVE-2025-67648 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →