Description
JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is present in JTL Shop versions 5.2.0 through 5.7.1. It allows unauthenticated users to inject arbitrary Smarty template syntax because user input is not sanitized before rendering. In early versions the flaw can expose sensitive data such as database credentials and encryption keys. In versions 5.4.0 through 5.7.1 the vulnerability also lets an attacker use registered Smarty modifiers (unserialize, file_get_contents) to write a webshell to the web root and execute arbitrary commands with the web server’s privileges, providing full compromise of the application and potentially the host.

Affected Systems

Affected installations are JTL Software JTL Shop running any release from 5.2.0 to 5.7.1. The issue affects all builds in this range, with versions 5.4.0‑5.7.1 additionally susceptible to shell code injection. Administrators should confirm the exact running version and apply remediation accordingly.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. EPSS is not available, so exploitation probability is currently unknown, but the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to a Smarty rendering endpoint, which can be abused to read sensitive information or deploy a webshell, resulting in remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch to upgrade JTL Shop to version 5.7.2 or later.
  • Restrict unauthenticated access to any endpoint that renders Smarty templates, requiring authentication where practical.
  • Disable the unsafe Smarty modifiers such as unserialize and file_get_contents to prevent code execution.
  • Enforce strict input validation on all user‑supplied data that is passed to the Smarty engine.
  • Monitor web logs for suspicious template syntax or unexpected file writes and alert on such events.

Generated by OpenCVE AI on June 18, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Jtl-software
Jtl-software jtl-shop
Vendors & Products Jtl-software
Jtl-software jtl-shop

Thu, 18 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Description JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.
Title JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Jtl-software Jtl-shop
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T11:39:42.099Z

Reserved: 2026-06-12T20:20:02.950Z

Link: CVE-2026-54390

cve-icon Vulnrichment

Updated: 2026-06-22T12:39:34.065Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-1336

    Improper Neutralization of Special Elements Used in a Template Engine