




















JTL responded fast and has released fixes for every supported branch: versions 5.5.4, 5.6.2 and 5.7.2, plus a back-patch covering 5.0.0 through 5.7.0. Every store owner running JTL Shop 5.2.0 or later should upgrade immediately.
A CVE is pending.
The impact depends on the installed version.
On JTL Shop 5.2.0 and later, where the SSTI was introduced, an attacker can read server-side values through the injected template. That includes the BLOWFISH_KEY, the database host, name, user and password, and the shop configuration: SMTP and newsletter credentials, FTP and Redis settings, OAuth secrets and the stored SFTP private key.
On JTL Shop 5.4.0 and later, the shop registers unserialize and file_get_contents as Smarty modifiers. An attacker can write a webshell to the web root and execute commands as the web server user.
| Version range | Status |
|---|---|
| 5.0.0 – 5.1.8 | Not affected |
| 5.2.0 – 5.3.x | Vulnerable: credential and configuration theft |
| 5.4.0 – 5.7.1 | Vulnerable: full unauthenticated RCE |
| 5.5.4 / 5.6.2 / 5.7.2 | Fixed |
JTL also published a back-patch covering 5.0.0 through 5.7.0 for installations that cannot move to the latest point release in their branch.
There is no evidence of active exploitation so far. That can change quickly once a patch points attackers at the vulnerable code, so unpatched stores face rising scanning pressure.
This finding is part of a broader Sansec effort. We have been working around the clock to find and triage vulnerabilities in ecommerce platforms, and new AI-assisted research capabilities now let us cover far more code, far faster. Expect more disclosures from this program.
| Date | Event |
|---|---|
| 2022-12-19 | SSTI introduced in JTL Shop 5.2.0 |
| 2024-10-29 | RCE path introduced in JTL Shop 5.4.0 |
| 2026-06-05 | Sansec reports the vulnerability to JTL |
| 2026-06-17 | JTL releases patched 5.5.4, 5.6.2 and 5.7.2; Sansec publishes |
Credit to the JTL team for a quick and professional response, and for shipping fixes across every supported branch.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。