{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32100", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:02:38.853Z", "datePublished": "2026-03-12T18:10:58.556Z", "dateUpdated": "2026-03-13T16:19:37.859Z"}, "containers": {"cna": {"title": "swag/platform-security: `/api/_info/config` route exposes information about licenses and active security fixes", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-64rg-pgjv-4v33", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-64rg-pgjv-4v33"}], "affected": [{"vendor": "swag", "product": "platform-security", "versions": [{"version": ">= 4.0.0, < 4.0.7", "status": "affected"}, {"version": ">= 3.0.0 < 3.0.12", "status": "affected"}, {"version": "< 2.0.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:10:58.556Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7."}], "source": {"advisory": "GHSA-64rg-pgjv-4v33", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:19:29.070525Z", "id": "CVE-2026-32100", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:19:37.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32100", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:19:29.070525Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:19:34.008Z"}}], "cna": {"title": "swag/platform-security: `/api/_info/config` route exposes information about licenses and active security fixes", "source": {"advisory": "GHSA-64rg-pgjv-4v33", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "swag", "product": "platform-security", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.0.7"}, {"status": "affected", "version": ">= 3.0.0 < 3.0.12"}, {"status": "affected", "version": "< 2.0.16"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-64rg-pgjv-4v33", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-64rg-pgjv-4v33", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:10:58.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32100", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:19:37.859Z", "dateReserved": "2026-03-10T22:02:38.853Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:10:58.556Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta. La ruta /api/_info/config expone informaci\u00f3n sobre correcciones de seguridad activas. Esta vulnerabilidad est\u00e1 corregida en 2.0.16, 3.0.12 y 4.0.7."}], "id": "CVE-2026-32100", "lastModified": "2026-04-16T14:47:16.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T18:16:24.743", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/shopware/shopware/security/advisories/GHSA-64rg-pgjv-4v33"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "platform-security", "source": "cna", "vendor": "swag"}, "product": "platform-security", "vendor": "swag"}], "analysis": {"en": {"generated_at": "2026-03-18T14:54:43.849958+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to reach at least version 2.0.16, 3.0.12, or 4.0.7 of the platform-security component.", "If immediate patching is not possible, limit network access to /api/_info/config by configuring firewall rules or network ACLs to allow only trusted hosts.", "Verify the configuration after remediation and monitor API access logs for any unusual or repeated attempts to access the endpoint."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Shopware\u2019s platform-security component, known as swag:platform-security. Versions before 2.0.16, 3.0.12, and 4.0.7 are impacted, as noted in the vendor\u2019s advisory that the issue is fixed in these releases.", "description_and_impact": "The vulnerability allows an attacker to retrieve configuration details via the /api/_info/config route, exposing information about active security fixes and licenses. This information disclosure can aid an adversary in planning further attacks or identifying which security updates have been applied to the system. The weakness is classified as CWE-200, a misuse of information security controls that leads to the unintended release of sensitive data.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need network access to the server to call the exposed API endpoint; no authentication is required to retrieve the data. The exposure permits only information gathering and does not provide an immediate execution or privilege escalation path."}}}}, "created": "2026-03-13T09:50:30.955418+00:00", "updated": "2026-03-20T15:48:37.211047+00:00", "vendors": ["swag", "swag$PRODUCT$platform-security"]}