← voltar
CVE-2026-54390

JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer

CVSS 9.3 CRITICALEPSS 0.3%CWE-1336
JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Produtos afetados
JTL Software · JTL Shop

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuell-5-7-2.246278/https://sansec.io/research/jtl-shop-ssti-rcehttps://www.vulncheck.com/advisories/jtl-shop-server-side-template-injection-via-smarty-renderer