ГлавнаяУязвимости → CVE-2026-54390
9.8критическая

CVE-2026-54390

Описание

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

CVSS
Балл9.8 — критическая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Источники
https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuell-5-7-2.246278/https://sansec.io/research/jtl-shop-ssti-rcehttps://www.vulncheck.com/advisories/jtl-shop-server-side-template-injection-via-smarty-renderer