How is CVE-2026-54390 exploited?

Network reachability (required): The attacker must reach the JTL Shop application over the network; the service must be exposed to the attacker's network segment or the public internet. Authentication (not-required): No account or session credentials are needed; the injection point is reachable by any unauthenticated HTTP request. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user of the application. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be satisfied.

What is the impact of CVE-2026-54390?

Reads database credentials and encryption keys stored in server-side configuration accessible to the Smarty rendering context. On versions 5.4.0 through 5.7.1, writes an attacker-controlled webshell to the web root directory. Executes arbitrary operating system commands as the web server user, giving full control over the application process and its file system access. Exfiltrates or tampers with any data the web server user can read or modify, including customer records, order data, and session tokens stored on disk or in the database.

Back to search

CRITICALCVE-2026-54390Published 2026-06-18Modified 2026-06-18CNA VulnCheck

CVE-2026-54390: JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer

Q: What is CVE-2026-54390?

Server-side template injection (SSTI) in JTL Shop affects versions 5.2.0 through 5.7.1, where unsanitized user input is passed directly to the Smarty template engine. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation allows reading sensitive server-side values such as database credentials and encryption keys; on versions 5.4.0 through 5.7.1, attackers can additionally write a webshell to the web root and execute arbitrary commands as the web server user. Patched-image rebuilds at versions 5.0.0, 5.5.4, 5.6.2, and 5.7.2 are available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-54390 fixed?

Patched-image rebuilds at JTL Shop versions 5.0.0, 5.5.4, 5.6.2, and 5.7.2 become available on HarborGuard as soon as affected images are identified. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user.

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: 5.0.0
Affected Products: 1

HarborGuard Analysis

Synopsis

Server-side template injection (SSTI) in JTL Shop affects versions 5.2.0 through 5.7.1, where unsanitized user input is passed directly to the Smarty template engine. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation allows reading sensitive server-side values such as database credentials and encryption keys; on versions 5.4.0 through 5.7.1, attackers can additionally write a webshell to the web root and execute arbitrary commands as the web server user. Patched-image rebuilds at versions 5.0.0, 5.5.4, 5.6.2, and 5.7.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54390 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle JTL Shop. Coverage applies to every image layer, not just base images.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it against each customer environment's compliance policy to determine urgency. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Patched-image rebuilds at JTL Shop versions 5.0.0, 5.5.4, 5.6.2, and 5.7.2 become available on HarborGuard as soon as affected images are identified. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the JTL Shop application over the network; the service must be exposed to the attacker's network segment or the public internet.
AuthenticationNot required
No account or session credentials are needed; the injection point is reachable by any unauthenticated HTTP request.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user of the application.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors need to be satisfied.

Blast Radius

Reads database credentials and encryption keys stored in server-side configuration accessible to the Smarty rendering context.
On versions 5.4.0 through 5.7.1, writes an attacker-controlled webshell to the web root directory.
Executes arbitrary operating system commands as the web server user, giving full control over the application process and its file system access.
Exfiltrates or tampers with any data the web server user can read or modify, including customer records, order data, and session tokens stored on disk or in the database.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical SSTI fires within minutes of a matching image being scanned, drawing on the CVE feed ingested at publication time on 2026-06-18. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image at a fixed version (5.5.4, 5.6.2, or 5.7.2 depending on the branch in use), run regression tests against the rebuilt image, and open a pull request against affected workloads - median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or deployment constraints prevent auto-remediation, HarborGuard surfaces the finding with full CVSS detail and fix-version metadata so engineering teams can act manually. Given the unauthenticated remote code execution capability on versions 5.4.0 through 5.7.1, customers running those versions should treat this as highest priority and are encouraged to apply network-policy controls to restrict external access to JTL Shop endpoints as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

5.0.05.5.45.6.25.7.2

Patch commits

forum.jtl-software.de

Affected packages

JTL Software / JTL Shop
≤ 5.3.x · ≤ 5.7.1
Fixed in 5.0.0, 5.5.4, 5.6.2, 5.7.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available