{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23498", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T15:47:41.629Z", "datePublished": "2026-01-14T18:31:19.070Z", "dateUpdated": "2026-01-14T21:15:57.391Z"}, "containers": {"cna": {"title": "Shopware Improper Control of Generation of Code in Twig rendered views", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf"}, {"name": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475", "tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475"}], "affected": [{"vendor": "shopware", "product": "shopware", "versions": [{"version": ">= 6.7.0.0, < 6.7.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T18:31:19.070Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1."}], "source": {"advisory": "GHSA-7cw6-7h3h-v8pf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T21:15:49.007384Z", "id": "CVE-2026-23498", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:15:57.391Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23498", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T21:15:49.007384Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:15:53.759Z"}}], "cna": {"title": "Shopware Improper Control of Generation of Code in Twig rendered views", "source": {"advisory": "GHSA-7cw6-7h3h-v8pf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "shopware", "product": "shopware", "versions": [{"status": "affected", "version": ">= 6.7.0.0, < 6.7.6.1"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475", "name": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T18:31:19.070Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23498", "state": "PUBLISHED", "dateUpdated": "2026-01-14T21:15:57.391Z", "dateReserved": "2026-01-13T15:47:41.629Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-14T18:31:19.070Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "877A9967-76FF-4B9C-AF91-0EFA65AE8A2F", "versionEndExcluding": "6.7.6.1", "versionStartIncluding": "6.7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1."}], "id": "CVE-2026-23498", "lastModified": "2026-01-28T17:17:16.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-14T19:16:48.430", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:12:28.124252+00:00", "value": {"mitigation_remediation": ["Upgrade Shopware to version 6.7.6.1 or newer.", "Validate or remove dynamic closures passed to the map(...) function to ensure they meet the allow list.", "Monitor application logs for unexpected PHP code execution or errors that may indicate an attempt to exploit the rendering engine."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are deployments of the Shopware e\u2011commerce platform by the vendor shopware. The vulnerability is present in versions starting with 6.7.0.0 and continuing through 6.7.6.0; versions 6.7.6.1 and later contain the fix that validates closures against the allow list.", "description_and_impact": "The vulnerability originates from a regression in Shopware versions 6.7.0.0 through 6.7.6.0, where array\u2011crafted PHP Closure objects that are passed to the map(...) override are not validated against an allow list. Because Twig\u2019s rendering engine can execute code defined by such closures, an attacker can inject malicious PHP code, which is categorized as CWE\u201194. The impact includes potential compromise of confidentiality, integrity, and availability of the application and its underlying server. Based on the description, it is inferred that an attacker can trigger execution without requiring explicit authentication or privileged access.", "risk_and_exploitability": "The CVSS v3.1 base score is 7.2, indicating a high severity risk. The EPSS score is cited as less than 1\u202f%, indicating a low probability of exploitation today; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted input that travels through Twig\u2019s map(...) functionality, where an attacker may manipulate template content or provide data that triggers the closure. It is inferred that success requires influencing the content rendered by the application, such as by uploading or editing a template or providing specially constructed data. Because the vector is not publicly documented, the actual exploitation risk is moderate, but a successful attack could lead to full remote code execution on the host."}}}}, "created": "2026-01-15T08:03:27.830782+00:00", "updated": "2026-04-18T19:15:10.616025+00:00", "vendors": ["shopware", "shopware$PRODUCT$shopware"]}