CVE-2026-23498

Summary

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(…) override. This vulnerability is fixed in 6.7.6.1.

Affected Software

VendorProductVersion RangeStatus
shopwareshopware>= 6.7.0.0, < 6.7.6.1affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References