Server-Side Template Injection Vulnerability in JTL Shop by JTL Software
CVE-2026-54390

9.3CRITICAL

Key Information:

Vendor

Jtl Software

Status
Jtl Shop
Vendor
CVE Published:
18 June 2026

What is CVE-2026-54390?

Versions 5.2.0 through 5.7.1 of JTL Shop contain a vulnerability that permits unauthenticated attackers to exploit unsanitized user input processed by the Smarty template engine. This flaw enables attackers to inject malicious template syntax, potentially compromising server-side values such as database credentials and encryption keys. Notably, on versions 5.4.0 through 5.7.1, the vulnerability allows malicious actors to leverage registered Smarty modifiers to write a webshell into the web root and execute arbitrary commands under the privileges of the web server user.

Affected Version(s)

JTL Shop 5.0.0 <= 5.1.8

JTL Shop 5.2.0 <= 5.3.x

JTL Shop 5.4.0 <= 5.7.1

References

https://sansec.io/research/jtl-shop-ssti-rce
technical-description
https://forum.jtl-software.de/threads/jtl-shop-5-7-aktuel...
release-notespatch
https://www.vulncheck.com/advisories/jtl-shop-server-side...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sansec
.