Table of Contents

Security Reports

An overview of identified security issues in DynamicWeb products

This page provides an overview of identified security issues in DynamicWeb products. Each report describes the nature of the vulnerability in broad terms, its potential impact, and the recommended remediation. To help customers prioritize, every report includes a CVSS v3.1 score with both a technical breakdown and an executive summary. For security reasons, detailed technical information on how to exploit the vulnerabilities is not published here, but can be obtained by contacting DynamicWeb directly. Reports are published transparently to ensure partners and customers have the necessary information to assess risks, apply updates, and stay compliant with relevant security and data protection requirements.

For more information on how we handle security fixes, please see our Security Bug Fixing Policy.

January 19th, 2026 - Unauthenticated RCE (Dynamicweb 9 and Dynamicweb 8)

Security vulnerability in Dynamicweb 9 and Dynamicweb 8

Severity: Critical CVSS v3.1: 10.0 Affected product: Dynamicweb 9 and Dynamicweb 8 Affected versions: All Dynamicweb 9.* and 8.* versions Fixed in: 9.19.6, 9.20.3 og 9.21.0, and stand-alone hotfix (DynamicwebSoftware.Security.DevOps27005.dll) Reported by: External security researcher

Description

A security vulnerability has been identified in Dynamicweb 9 that may allow an unauthenticated remote attacker to execute arbitrary code under certain conditions.

The issue was reported to Dynamicweb through a coordinated disclosure process and has been addressed in accordance with the Dynamicweb security bug fix policy.

Impact

Successful exploitation could allow an attacker to gain unauthorized access to system resources and compromise the affected Dynamicweb installation.

At the time of publication, Dynamicweb is not aware of any active exploitation.

Fix

Dynamicweb has implemented a fix that restricts access to the affected functionality and ensures proper validation of externally supplied input.

Dynamicweb Cloud

All solutions (Dynamicweb 8 and 9) hosted on Dynamicweb Cloud have received the fix. The fix was fully rolled out to our cloud by 19 January 2026.

Availability

The fix is included in the following versions:

  • Dynamicweb 9.19.6
  • Dynamicweb 9.20.3
  • Dynamicweb 9.21.0
  • DynamicwebSoftware.Security.DevOps27005.dll (stand-alone hotfix for Dynamicweb 8 and 9)

Customers running other Dynamicweb 9 versions and customers running any Dynamicweb 8 version can apply the stand-alone hotfix, delivered as a DLL, which mitigates the vulnerability. The hotfix can be installed on all Dynamicweb 8 and 9 versions and is available on the download page on the old documentation site.

Mitigation

Customers who have not yet applied the fix or hotfix should ensure that administrative functionality is not publicly accessible and that access to the solution is appropriately restricted.

Credit

Dynamicweb thanks the external security researcher for responsibly reporting this issue.

CVSS Score (Assessment)

The vulnerability has been assessed using the CVSS v3.1 Base Score:

  • Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Score 10.0 (Critical)

Justification:

  • AV:N (Network) – reachable via HTTP
  • AC:L (Low) – no special conditions; a single request chain
  • PR:N (None) – unauthenticated
  • UI:N (None) – no victim interaction
  • S:C (Changed) – compromise of the web app leads to executing code with server-side privileges beyond the web request boundary (practically: you can take over the host / underlying system functions)
  • C:H / I:H / A:H – code execution implies full read/modify/disrupt potential

This categorizes the issue as Critical, primarily due to the ability for an unauthenticated file write to webroot → RCE

See our Security Bug Fixing Policy for further details on how DynamicWeb addresses vulnerabilities.

August 25th, 2025 - Exposure of Customer Information via Payment Callback

A vulnerability has been identified in solutions running on both DynamicWeb 9 and DynamicWeb 10 when configured with the QuickPayPaymentWindow payment provider. Under certain conditions, a malicious actor may attempt to spoof the payment callback URL. If an error template is present and configured to render order-related information, this can lead to the unintended exposure of personal customer data.

The vulnerability was identified through security testing. We have no indication that the issue has been exploited in practice.

Impact

If present, this vulnerability may allow unauthorized parties to access customer information such as:

  • Customer name
  • Email address
  • Delivery information
  • Selected delivery and payment method

No payment card data or other financial details are exposed through this vulnerability.

Affected Configurations

The issue affects DynamicWeb 9 and DynamicWeb 10 installations that use the QuickPayPaymentWindow provider with an error template that renders personal order information.

There are two approaches to mitigate the vulnerability:

  • Review whether an error template is used in the QuickPayPaymentWindow setup.
  • If such a template is present, ensure that it does not render any personal or order-related information.
  • Templates should only display generic error messages that cannot be used to infer customer data.

In DynamicWeb 9:

  • Go to Settings -> Ecommerce -> Orders -> Payment
  • Locate payment methods using "Quickpay payment window"
  • Edit the each payment using "Quickpay payment window" - in the "Parameters" section set the "Error template" field to "Nothing selected" or edit the template to ensure it does not render customer information

In DynamicWeb 10:

  • Go to Settings -> Commerce -> Order management -> Payment
  • Locate payment methods using "Quickpay payment window"
  • Edit the each payment using "Quickpay payment window" - on the tab "Provider" in section "General" set the "Error template" field to "Nothing selected" or edit the template to ensure it does not render customer information
  • Update the QuickPayPaymentWindow CheckoutHandler provided by DynamicWeb.
  • The updated handler will ensure that the error template is not rendered when an invalid or spoofed callback URL is received. This prevents exposure of personal data in error responses.

In Dynamicweb 9

  • The new dll can be rolled out into production and is a drop-in replacement for existing QuickPayPaymentWindow that requires no rebuild Alternatively;

  • In custom projects, update the QuickPayPaymentWindow project package reference to version 3.1.2

    dotnet add package Dynamicweb.Ecommerce.CheckoutHandlers.QuickPayPaymentWindow --version 3.1.2

  • Deploy the update to your production environment

In Dynamicweb 10

Short term vs Long term fix

The short term fix is the easy way to go and is handled quickly without deploying additional code. We recommend that fix for most Dynamicweb 9 solutions as it is less intrusive and no features will be missing and can be done without The only caveat of this fix is that the error template could be accidently be exposing customer information in the future re-introducing the issue.

The long term fix takes a bit longer to roll out on Dynamciweb 9 solutions. Benefit of that roll-out is that accidental changes to the error template in the future will not re-introduce the issue.

For Dynamicweb 10 the update of the QuickPayPaymentWindow is easy and is recommended.

CVSS Score (Assessment)

The vulnerability has been assessed using the CVSS v3.1 Base Score:

  • Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Score: 7.5 – High

Justification:

  • Attack Vector (AV:N): Exploitable over the network (web).
  • Attack Complexity (AC:L): Low – order IDs are guessable/sequential.
  • Privileges Required (PR:N): None – no authentication required.
  • User Interaction (UI:N): None required.
  • Scope (S:U): No cross-boundary effect.
  • Confidentiality (C:H): High – personal customer data exposed.
  • Integrity (I:N): None – data cannot be modified.
  • Availability (A:N): None – no impact on service availability.

This categorizes the issue as High Severity, primarily due to the exposure of personal data without authentication.

See our Security Bug Fixing Policy for further details on how DynamicWeb addresses vulnerabilities.

Next Steps

  • Customers are advised to immediately review their configuration to confirm whether error templates are in use and whether they contain personal data.
  • DynamicWeb will release an update to the QuickPayPaymentWindow handler that enforces safe handling of invalid callbacks. Customers are strongly encouraged to apply this update once available.
  • As a precaution, customers may also wish to review access logs for unusual callback traffic that could indicate attempts to exploit this issue.

GDPR Considerations

Since the vulnerability concerns the unintended disclosure of personal data, it could potentially be considered a GDPR-relevant incident. As no actual exploitation has been observed, it is up to each customer to assess—together with their legal and compliance teams—whether notification to the supervisory authority (Datatilsynet or relevant local DPA) is necessary.

Suggested Notification Text (Optional)

For customers who decide to notify the authorities, the following Notification Text template can be used:

During a penetration test of our webshop, a vulnerability was identified that, under certain conditions, could allow unauthorized access to limited customer data (including name, email, address, and delivery preferences). The issue was discovered by an external security expert, and we have no indication that it has been exploited in practice. We have taken steps to remediate the vulnerability and are reporting this proactively in accordance with GDPR requirements.

Improve this doc
To top