CVE-2026-48015
Shopware: Stored XSS via SVG file upload — no SVG sanitization
Description
SVG files are in the `allowed_extensions` whitelist and can be uploaded by any admin user via the media manager. There is zero SVG content sanitization anywhere in the upload pipeline. A malicious SVG with JavaScript (`onload`, `<script>`, `<foreignObject>`) executes in the context of the Shopware domain when accessed. ## The Problem In `src/Core/Framework/Resources/config/packages/shopware.yaml`, line 194: ```yaml allowed_extensions: ["jpg", "jpeg", "png", "webp", "avif", "gif", "svg", ...] ``` SVG is whitelisted. The upload path (`MediaUploadController` → `FileSaver` → `TypeDetector`) recognizes SVG as `ImageType` with `VECTOR_GRAPHIC` flag, but no code strips JavaScript, event handlers, or external entity references from the SVG XML. A search of the entire codebase for SVG sanitization returns — no `DOMPurify`, no `svg-sanitize`, no `strip_tags` on SVG content, nothing. ## Impact Stored XSS affecting all users who view the uploaded SVG. In an e-commerce context, this can lead to admin account takeover, customer data theft, or malicious plugin installation. ## Suggested Fix Either: 1. **Remove SVG from `allowed_extensions`** if SVG upload is not a core requirement 2. **Sanitize SVG content** on upload using a library like `enshrined/svg-sanitize` (strips scripts, event handlers, external references) 3. **Serve SVGs with `Content-Disposition: attachment`** to prevent inline rendering 4. **Serve SVGs from a separate domain** (like Nextcloud's `usercontent.apps.nextcloud.com`) Option 2 is the most practical — `enshrined/svg-sanitize` is already used by WordPress and other PHP projects. Regards & BG, Keyvan Hardani
How to fix CVE-2026-48015
To remediate CVE-2026-48015, upgrade the affected package to a fixed version below.
- —upgrade to 6.7.10.1 or later
- —upgrade to 6.7.10.1 or later
Is CVE-2026-48015 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48015.