The vulnerability originates from a regression in Shopware versions 6.7.0.0 through 6.7.6.0, where array‑crafted PHP Closure objects that are passed to the map(...) override are not validated against an allow list. Because Twig’s rendering engine can execute code defined by such closures, an attacker can inject malicious PHP code, which is categorized as CWE‑94. The impact includes potential compromise of confidentiality, integrity, and availability of the application and its underlying server. Based on the description, it is inferred that an attacker can trigger execution without requiring explicit authentication or privileged access.

Affected systems are deployments of the Shopware e‑commerce platform by the vendor shopware. The vulnerability is present in versions starting with 6.7.0.0 and continuing through 6.7.6.0; versions 6.7.6.1 and later contain the fix that validates closures against the allow list.

The CVSS v3.1 base score is 7.2, indicating a high severity risk. The EPSS score is cited as less than 1 %, indicating a low probability of exploitation today; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted input that travels through Twig’s map(...) functionality, where an attacker may manipulate template content or provide data that triggers the closure. It is inferred that success requires influencing the content rendered by the application, such as by uploading or editing a template or providing specially constructed data. Because the vector is not publicly documented, the actual exploitation risk is moderate, but a successful attack could lead to full remote code execution on the host.