CVE-2026-54390

Summary

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

Affected Software

VendorProductVersion RangeStatus
JTL SoftwareJTL Shop5.0.0 <= 5.1.8unaffected
JTL SoftwareJTL Shop5.2.0 < 5.4.0affected
JTL SoftwareJTL Shop5.4.0 <= 5.7.1affected
JTL SoftwareJTL Shop5.5.4unaffected
JTL SoftwareJTL Shop5.6.2unaffected
JTL SoftwareJTL Shop5.7.2unaffected

Weaknesses

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References