Shopsys Platform PR Closes Critical HybridAuth Vulnerability CVE-2026-4587

A pending pull request for the Shopsys Platform e-commerce framework moves to eliminate a critical, previously suppressed security vulnerability. The PR explicitly addresses CVE-2026-4587 in the `hybridauth/hybridauth` library by upgrading the dependency to the patched version 3.13.0. This action removes temporary audit ignore entries that were in place as a workaround while a fix was unavailable, signaling a shift from risk mitigation to active remediation.

The vulnerability, tracked under the CVE-2026-4587 identifier, was a known security flaw within the HybridAuth library, a common component for social login functionality. The Shopsys Platform project had been suppressing alerts related to this CVE in its Composer dependency audits, a standard but risky practice when no immediate patch exists. The new version 3.13.0 of HybridAuth provides the necessary security fix, allowing the development team to bump the version constraint and systematically remove the ignore rules across all relevant `composer.json` configuration files.

This update directly impacts the security posture of any Shopsys-based e-commerce deployment relying on the library for user authentication. While the fix is now available, its integration requires the PR's approval and deployment. The existence of live preview links for the change suggests it is undergoing final testing before being merged into the main codebase, a critical step for developers and administrators to monitor to ensure their systems are no longer exposed to the patched vulnerability.