Security Update 04/2021

General Information

In this security release, we have fixed a critical vulnerability in addition to the usual bug fixes, as well as two other general security improvements. Affected are the Shopware versions from 6.1.0 up to and including The following vulnerabilities have been fixed with this security update:

NEXT-14533 - After order payment process manipulatable
NEXT-14188 - Protect .env via .htaccess in shopware root!
NEXT-14278 - Persistent Cross-site Scripting Vulnerability
NEXT-14482 - Aggregations are not protected by ApiAware

To make use of the fixes made with NEXT-14188 & NEXT-14278 please make sure to update your server config accordingly.


The update to or the installation of the security plugin will update the htaccess. If you want to do this by your own, copy this file:

We recommend updating to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview.

For older versions of 6.1 and 6.2, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Was this article helpful?


6.1.0 -