CVE-2025-51541 – Shopware Stored XSS Vulnerability

CVE ID : CVE-2025-51541

Published : Aug. 5, 2025, 8:15 p.m. | 1 hour, 29 minutes ago

Description : A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious JavaScript. This vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack due to the absence of CSRF protections on the POST request. An unauthenticated remote attacker can craft a malicious web page that, when visited by a victim, stores the payload persistently in the installation configuration. As a result, the payload executes whenever any user subsequently accesses the vulnerable installation page, leading to persistent client-side code execution.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…