CVE-2026-54390

CRITICAL 9.8

JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

CWE	CWE-1336
Vendor	jtl software
Product	jtl shop
Published	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for jtl software jtl shop

Be the first to know when new critical vulnerabilities affecting jtl software jtl shop are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

JTL Software / JTL Shop

5.2.0 ≤ 5.3.x 5.4.0 ≤ 5.7.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

sansec.io: https://sansec.io/research/jtl-shop-ssti-rce forum.jtl-software.de: https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuell-5-7-2.246278/ vulncheck.com: https://www.vulncheck.com/advisories/jtl-shop-server-side-template-injection-via-smarty-renderer

Credits

Sansec