{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-54390/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-18T17:33:46.230Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-54390","@id":"https://www.cve.org/CVERecord?id=CVE-2026-54390","description":"JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshel"},"products":[{"@id":"cpe:2.3:a:jtl_software:jtl_shop:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:jtl_software:jtl_shop:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 5.0.0, 5.5.4, 5.6.2, 5.7.2.","timestamp":"2026-06-18T17:33:46.230Z"}]}