{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25878", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-06T21:08:39.128Z", "datePublished": "2026-02-09T20:53:23.818Z", "dateUpdated": "2026-02-10T15:58:56.777Z"}, "containers": {"cna": {"title": "FroshAdminer Adminer UI is accessible without admin session", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/security/advisories/GHSA-f339-246p-wwjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/security/advisories/GHSA-f339-246p-wwjp"}, {"name": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/commit/c4dd6c3462af178b3a7d146d3c651c2c253e902b", "tags": ["x_refsource_MISC"], "url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/commit/c4dd6c3462af178b3a7d146d3c651c2c253e902b"}, {"name": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/releases/tag/2.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/releases/tag/2.2.1"}], "affected": [{"vendor": "FriendsOfShopware", "product": "FroshPlatformAdminer", "versions": [{"version": "< 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:53:23.818Z"}, "descriptions": [{"lang": "en", "value": "FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1."}], "source": {"advisory": "GHSA-f339-246p-wwjp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:39:40.642905Z", "id": "CVE-2026-25878", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:58:56.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:39:40.642905Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:39:41.321Z"}}], "cna": {"title": "FroshAdminer Adminer UI is accessible without admin session", "source": {"advisory": "GHSA-f339-246p-wwjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "FriendsOfShopware", "product": "FroshPlatformAdminer", "versions": [{"status": "affected", "version": "< 2.2.1"}]}], "references": [{"url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/security/advisories/GHSA-f339-246p-wwjp", "name": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/security/advisories/GHSA-f339-246p-wwjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/commit/c4dd6c3462af178b3a7d146d3c651c2c253e902b", "name": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/commit/c4dd6c3462af178b3a7d146d3c651c2c253e902b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/releases/tag/2.2.1", "name": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/releases/tag/2.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T20:53:23.818Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25878", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:58:56.777Z", "dateReserved": "2026-02-06T21:08:39.128Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T20:53:23.818Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:friendsofshopware:froshadminer:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F95E905-90E0-4563-94B3-BE7F7FAEBAB4", "versionEndExcluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route (/admin/adminer) was accessible without Shopware admin authentication. The route was configured with auth_required=false and performed no session validation, exposing the Adminer UI to unauthenticated users. This vulnerability is fixed in 2.2.1."}, {"lang": "es", "value": "FroshAdminer es el plugin de Adminer para la plataforma Shopware. Antes de la versi\u00f3n 2.2.1, la ruta de Adminer (/admin/adminer) era accesible sin autenticaci\u00f3n de administrador de Shopware. La ruta estaba configurada con auth_required=false y no realizaba ninguna validaci\u00f3n de sesi\u00f3n, exponiendo la interfaz de usuario de Adminer a usuarios no autenticados. Esta vulnerabilidad se corrige en la versi\u00f3n 2.2.1."}], "id": "CVE-2026-25878", "lastModified": "2026-02-28T00:18:44.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T21:15:50.380", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/commit/c4dd6c3462af178b3a7d146d3c651c2c253e902b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/releases/tag/2.2.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/FriendsOfShopware/FroshPlatformAdminer/security/advisories/GHSA-f339-246p-wwjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.1)"}}], "product": "froshplatformadminer", "vendor": "friendsofshopware"}], "analysis": {"en": {"generated_at": "2026-04-18T12:57:36.751525+00:00", "value": {"mitigation_remediation": ["Upgrade FroshPlatformAdminer to version 2.2.1 or later to enforce authentication on the Adminer route.", "Verify that the plugin\u2019s configuration specifies auth_required=true and that the route is protected by Shopware\u2019s admin authentication mechanisms.", "If an immediate upgrade is not possible, restrict access to /admin/adminer at the web server or firewall level to trusted IPs or apply temporary HTTP authentication to limit exposure."], "summary": {"action": "Immediate Patch", "impact": "Data Exposure"}, "threat_synthesis": {"affected_systems": "FriendsOfShopware\u2019s FroshPlatformAdminer plugin is affected in all versions prior to 2.2.1. Users running any older version of the plugin are at risk until they upgrade to 2.2.1 or later, where the authentication requirement has been enforced.", "description_and_impact": "FroshAdminer, a Shopware Platform plugin, allowed unauthenticated users to reach its Adminer interface at /admin/adminer. The plugin was configured with auth_required set to false and performed no session validation, thus exposing the database management UI. An attacker who gains access to the UI could view database credentials, execute arbitrary queries against the shop's database, and potentially modify or delete data, resulting in a breach of confidentiality and integrity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.9, indicating medium severity, and an EPSS score of less than 1\u202f%, meaning exploit probability is low. It is not listed in CISA\u2019s KEV catalog. Attackers would most likely exploit the weakness by simply browsing to /admin/adminer via a web browser, as the route is publicly reachable without authentication. The weakness falls under CWE\u2011306, reflecting missing authentication protection."}}}}, "created": "2026-02-10T11:35:11.034780+00:00", "updated": "2026-04-18T13:00:08.768649+00:00", "vendors": ["friendsofshopware", "friendsofshopware$PRODUCT$froshplatformadminer"]}