CVE-2026-54390

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

Vulnerability Details

Published Date

June 18, 2026

Last Modified

June 18, 2026

CWE ID

CWE-1336

Source

NVD

Vendor

JTL Software

Product

JTL Shop

External References

https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuell-5-7-2.246278/
https://sansec.io/research/jtl-shop-ssti-rce
https://www.vulncheck.com/advisories/jtl-shop-server-side-template-injection-via-smarty-renderer

CVE-2026-54390

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment