CVE-2026-54390
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| JTL Software | JTL Shop | 5.0.0 <= 5.1.8 | unaffected |
| JTL Software | JTL Shop | 5.2.0 < 5.4.0 | affected |
| JTL Software | JTL Shop | 5.4.0 <= 5.7.1 | affected |
| JTL Software | JTL Shop | 5.5.4 | unaffected |
| JTL Software | JTL Shop | 5.6.2 | unaffected |
| JTL Software | JTL Shop | 5.7.2 | unaffected |
Weaknesses
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://sansec.io/research/jtl-shop-ssti-rce
- https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuell-5-7-2.246278/
- https://www.vulncheck.com/advisories/jtl-shop-server-side-template-injection-via-smarty-renderer
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.