CVE-2026-48011
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack.
Risk Assessment
The ability to disclose administrator usernames increases the risk of unauthorized access to the system. Attackers may use this information to carry out further attacks.
Recommendation
It is recommended to upgrade to versions 6.6.10.18 or 6.7.10.1 to mitigate this vulnerability.
Original NVD description (English source)
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.

