Security Advisories
CVEs affecting projects tracked on Release Alert, from NVD & OSV.
CVEs affecting projects tracked on Release Alert, from NVD & OSV.
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.