Starts with the official support end of Shopware 5
(August 2024)

Security updates so far

This page provides an overview of security vulnerabilities that have been fixed in Shopware 5 through safefive security updates. Detailed information – including severity ratings – is available to our customers on the customer platform.

Security Vulnerability in Email Templates

A security vulnerability in the Shopware 5 backend that allowed Cross-Site Scripting (XSS) has been fixed. The issue affected the editing and display of email templates in the administration area. This made it possible to inject malicious scripts, which could compromise sensitive data or trigger unauthorized actions. With this fix, inputs are now properly filtered, enhancing the security of the backend.

Cookie Security: Switching from “Lax” to “Strict”

The shop administration now allows you to configure the SameSite cookie attribute as either “Lax” or “Strict.” This update enhances protection against Cross-Site Request Forgery (CSRF) attacks and strengthens the overall security of browser sessions.


What does this adjustment mean for you?
Cookies with the “Lax” setting are sent even when users navigate to your site from an external website, such as by clicking a link. In contrast, cookies with the “Strict” setting are only sent with same-site requests. This prevents cookies from being shared with third-party sites, even when users access your site via an external link.

Benefits of the Strict setting:

  • Enhanced protection against CSRF attacks
  • Reduced risk of unintended data leakage
  • Improved user privacy during browsing

More Flexible Captcha Settings for Better Protection Against Spam and Attacks

It is now possible to choose which type of Captcha should be used in the shop. Captchas help protect against automated attacks and spam, especially on forms such as registration, login, or contact forms. Since different Captcha methods come with varying requirements and levels of security, shop owners can now specifically decide which Captcha type is best suited for their shop. The selection can be easily made through the backend configuration.

Enhanced Composer Support for Reliable Updates

Support for installations via Composer has been improved. Using Composer now results in more stable and secure installations and updates. Issues can be identified and resolved more quickly, reducing downtime and enhancing the shop’s performance. This ensures a reliable and well-protected shop environment.

Improved Protection Through Correct Creation of the .htaccess File in the Vendor Folder

A .htaccess file is now automatically created in the vendor folder to prevent direct access to sensitive files. Previously, if the folder was deleted, the file could be missing—making the folder publicly accessible. With this update, access is permanently blocked, enhancing the security of the shop installation. Even if the folder is deleted and recreated by the system, external access remains restricted.

“Forgot Password” Function Enhanced with Captcha Protection

The password reset process now includes a Captcha to automatically verify whether the request is made by a real user. This additional security measure protects Shopware 5 from automated attacks and spam attempts. It helps prevent bots from abusing the system and significantly increases the security of user accounts.

Improved Protection Through Automatic Creation of .htaccess Files

Security-relevant directories now automatically receive a .htaccess file to prevent direct access to sensitive content. Previously, this protective file could be missing after certain folders were deleted (e.g., when clearing the cache), which could leave directories publicly accessible. With this change—the automatic creation of a .htaccess file—external access remains blocked even if a folder is recreated by the system.

Direct Execution of PHAR Files Blocked at System Level

PHAR files (PHP Archives) can potentially contain malicious code and pose a security risk if executed directly on the server. This measure reliably blocks the direct execution of such files. It prevents attackers from injecting and/or executing harmful code through manipulated PHAR files. This security precaution is especially important in environments where file uploads are allowed or external sources are integrated

Parallel Logins with a Single Customer Account Disabled

This measure ensures that a customer account can only be used by one person at a time. If someone attempts to log in using the same credentials (e.g., email and password) from a different device or location, the previous session is automatically terminated. This not only protects sensitive customer data but also prevents account misuse—such as shared logins or unauthorized access. As a result, access to the Shopware 5 shop remains individual and secure.

Upload and Execution of PHAR Files in ESD Products Blocked

PHAR files (PHP Archives) can contain executable PHP code and therefore pose a serious security risk—especially in the context of ESD products (electronic software downloads), where files can be uploaded or downloaded by customers. This update prevents PHAR files from being uploaded to ESD products or executed within the system. As a result, a potential attack vector for injecting and executing malicious code on the server is eliminated. This significantly reduces the risk of Remote Code Execution (RCE) and enhances the security of digital products in your Shopware 5 shop.

Learn more and stay up to date? Subscribe to our newsletter!

    We collect your email address to send you emails about services from time to time.
    By providing your email address, you agree to our Privacy Policy.

    Scroll to Top