CVE-2025-51541 is a stored cross-site scripting (XSS) vulnerability identified in the Shopware 6 e-commerce platform, specifically within its installation interface at the endpoint /recovery/install/database-configuration/. The vulnerability arises because the c_database_schema field does not properly sanitize user-supplied input before rendering it in the browser. This flaw allows an attacker to inject malicious JavaScript code that is persistently stored in the installation configuration. Furthermore, the vulnerability is exacerbated by the absence of Cross-Site Request Forgery (CSRF) protections on the POST request handling this input. This means an unauthenticated remote attacker can craft a malicious web page that, when visited by a victim, submits a specially crafted POST request to the vulnerable endpoint, injecting the malicious payload. Once stored, the payload executes every time any user accesses the vulnerable installation page, leading to persistent client-side code execution. This attack vector does not require authentication, increasing its risk profile. The persistent nature of the XSS means that the malicious script can affect multiple users over time, potentially stealing sensitive information such as session cookies, credentials, or performing actions on behalf of users. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant threat, especially during the installation or recovery phases of Shopware 6 deployments.

For European organizations using Shopware 6, this vulnerability poses a serious risk to the confidentiality and integrity of user data and the availability of the e-commerce platform. Persistent XSS can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of legitimate users, potentially resulting in data breaches and loss of customer trust. Since the vulnerability is exploitable without authentication and leverages CSRF, attackers can target administrators or users involved in the installation or recovery process, which may be less monitored and more vulnerable. This could lead to compromise of administrative accounts or manipulation of installation configurations, potentially enabling further attacks or persistent backdoors. Given the widespread use of Shopware in European e-commerce, especially among small and medium-sized enterprises, exploitation could disrupt business operations, cause financial losses, and damage reputations. Additionally, regulatory implications under GDPR may arise if personal data is compromised due to this vulnerability.

To mitigate this vulnerability, organizations should immediately implement input validation and output encoding on the c_database_schema field to ensure that any user-supplied data is properly sanitized before rendering. Applying strict Content Security Policy (CSP) headers can help limit the impact of any injected scripts. It is critical to add CSRF protections on the POST request handling the database configuration input, such as implementing anti-CSRF tokens and verifying their presence on each request. Organizations should also restrict access to the installation and recovery interfaces to trusted networks or authenticated users only, reducing exposure. Regularly monitoring and auditing logs for unusual POST requests to the installation endpoint can help detect exploitation attempts. Applying vendor patches or updates as soon as they become available is essential. In the absence of official patches, temporarily disabling or restricting access to the vulnerable installation interface until remediation is possible is advisable. Finally, educating administrators and users about the risks of visiting untrusted web pages during installation or recovery phases can reduce the likelihood of successful CSRF attacks.