What the vulnerability does
01Description
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15.
CVE-2026-32142
MEDIUM
CVE-2026-32142: shopware/commercial: `/api/_info/config` route exposes information about licenses
CVSS base score
5.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Key dates
02Disclosure timeline
March 12, 2026
CVE published
March 13, 2026
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2024-43258 WordPress Store Locator Plus® for WordPress plugin <= 2311.17.01 - Sensitive Data Exposure vulnerability
CVE-2024-52297 Tolgee's configuration all configuration properties leaked in public configuration DTO
CVE-2022-1186 Be POPIA Compliant <= 1.1.5 - Sensitive Information Exposure
CVE-2023-38059 External pictures can be loaded even if not allowed by configuration
CVE-2025-40941
