CVE-2025-27892: 
PHP vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2025-27892) affects Shopware versions prior to 6.5.8.13 in the /api/search/order endpoint. This vulnerability exists as a regression of previous vulnerabilities CVE-2024-22406 and CVE-2024-42357 (NVD, GHSA).

The vulnerability resides in the aggregations field used in search-related endpoints. While the Shopware Security Plugin 6 version 2.0.10 attempts to patch the vulnerability, it fails to sanitize nested aggregation objects effectively. Attackers can inject special characters such as ? or : into the name field of nested aggregation objects, exploiting reserved syntax used for prepared statements. The CVSS v3.1 base score is 6.8 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L (RedTeam Pentesting, GHSA).

The severity of the vulnerability varies depending on API exposure and user privileges. For backend users with low privileges, the vulnerability poses a medium risk as attackers can escalate their access. If search-related endpoints of the Store API are publicly exposed, the risk escalates to high due to the potential for direct database compromise (GBHackers, RedTeam Pentesting).

The vulnerability has been fixed in Shopware version 6.5.8.13. For older versions, users should update to Shopware Security Plugin 6 version 2.0.11. The vendor recommends updating to the latest Shopware version for full protection (GHSA, RedTeam Pentesting).