Skip to main content

JTL Shop CVE-2026-54390

| EUVD-2026-37925 CRITICAL
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-06-18 VulnCheck GHSA-pxq6-fr5m-fwh5
Ssti Deserialization Jtl Shop
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Remote unauthenticated HTTP request with no user interaction yields SSTI and RCE as the web user, giving full C/I/A impact on the vulnerable host without scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 18:01 vuln.today

DescriptionCVE.org

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

AnalysisAI

Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty template syntax via unsanitized user input, exposing sensitive server-side values like database credentials and encryption keys. On versions 5.4.0 through 5.7.1, the flaw escalates to remote code execution by abusing registered Smarty modifiers (unserialize, file_get_contents) to drop a webshell and execute commands as the web server user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify JTL Shop storefront
Delivery
Send crafted request with Smarty syntax
Exploit
Trigger SSTI in renderer
Execution
Abuse unserialize/file_get_contents modifiers
Persist
Write PHP webshell to web root
Impact
Execute commands as web server user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions for information disclosure - remote unauthenticated exploitation against default configurations of JTL Shop 5.2.0 through 5.7.1 via any endpoint that passes user input into the Smarty renderer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a high-priority issue: the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H reflects a trivially reachable, unauthenticated network-facing flaw with full impact, and the 9.3 base score is consistent with the description (no preconditions, full read/write/exec on the affected versions). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP request to an internet-facing JTL Shop 5.4.0-5.7.1 storefront with a parameter containing Smarty template syntax that invokes the unserialize and file_get_contents modifiers; the server renders the payload, writes a PHP webshell into the web root, and the attacker then executes arbitrary commands as the web server user via subsequent requests to the dropped shell. Public technical analysis from Sansec describes the chain, so reproducing the exploit requires only adapting the published gadget to a specific install.
Remediation Vendor-released patch: upgrade to JTL Shop 5.7.2 or later as announced in the JTL forum thread at https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuell-5-7-2.246278/, which addresses the unsanitized input passed to the Smarty renderer. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all JTL Shop deployments and confirm installed versions against the affected range (5.2.0-5.7.1); isolate any confirmed vulnerable instances from network access if immediate patching is not possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-11407 HIGH
8.6 Jun 17

Twig sandbox bypass in Pimcore CMS/DXP 12.3.8 lets authenticated administrators escape the template sandbox by abusing e
CVE-2026-52796 LOW
3.5 Jun 22

{` placeholder, the third-party `com.Expand()` call in `internal/markup/markup.go` panics due to a negative slice index,

Share

CVE-2026-54390 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy