Critical SSTI in JTL Shop Enables Unauthenticated RCE and Webshell Deployment
A critical server-side template injection flaw tracked as CVE-2026-54390 affects JTL Shop versions 5.2.0 through 5.7.1, where unsanitized user input is passed to the Smarty template engine. The vulnerability allows unauthenticated remote attackers to inject malicious template syntax and access sensitive server-side information, including database credentials and encryption keys.
On JTL Shop 5.4.0 through 5.7.1, the flaw can be escalated to remote code execution by abusing registered Smarty modifiers such as unserialize and file_get_contents to write a webshell into the web root and run arbitrary commands as the web server user. The issue has been rated critical with CVSS 3.1 9.8 and CVSS 4.0 9.3, and affected organizations are advised to upgrade to JTL Shop 5.7.2 or later and ensure user input reaching the template engine is properly sanitized.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CVE-2026-54390 published for JTL Shop SSTI flaw
A critical server-side template injection vulnerability affecting JTL Shop versions 5.2.0 through 5.7.1 was published as CVE-2026-54390. The issue allows unauthenticated remote attackers to inject Smarty template syntax, exposing sensitive data and, on versions 5.4.0 through 5.7.1, potentially write a webshell and execute commands as the web server user.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical File Write and RCE Flaws Disclosed in Shopizer, JeeSite, and Krayin CRM
Newly published CVEs detail severe application-layer vulnerabilities in three widely used web platforms. **Shopizer 3.2.5** is affected by `CVE-2026-36767`, a critical path traversal flaw in the `/content/images/add` endpoint that lets an unauthenticated attacker send a crafted POST request and write arbitrary files to any writable path. **JeeSite 5.15.1** is affected by `CVE-2026-36760`, where the `fileMd5` parameter in `/a/file/upload` can be abused during chunked uploads to traverse directories and write arbitrary files with whitelisted suffixes to attacker-chosen filesystem locations; exploitation requires authenticated access with file upload permissions. A separate high-severity issue, `CVE-2026-36340`, affects **Krayin CRM 2.1.5** and allows remote code execution through the compose email function. The flaw was classified as `CWE-94` and has been fixed in **Krayin CRM 2.1.6**. The Shopizer and JeeSite bugs were both classified as `CWE-22` and carry high-impact CVSS ratings reflecting serious risk to confidentiality and integrity, with Shopizer also exposing availability. Public references for all three issues were added alongside their CVE records, including linked GitHub documentation and issue reports describing the vulnerabilities.
May 24, 2026
Multiple CMS Plugin Vulnerabilities: WordPress CVEs and Joomla Novarain/Tassos Framework Flaws
Three newly described **WordPress plugin vulnerabilities** affect ShopLentor, Advanced AJAX Product Filters, and WP Maps. **CVE-2026-1714** allows **unauthenticated email relay abuse** in *ShopLentor* (<= `3.3.2`) via the `woolentor_suggest_price_action` AJAX endpoint due to missing validation of parameters such as `send_to` and `product_title`; the `wlemail` parameter can be abused for **CRLF injection** to control sender details, enabling spam/phishing relay through the victim site. **CVE-2026-1426** is a **PHP object injection** issue in *Advanced AJAX Product Filters* (<= `3.1.9.6`) reachable by **authenticated users (Author+)** through deserialization of untrusted input in `shortcode_check` within a Live Composer compatibility layer; impact depends on the presence of a usable **POP chain** in another installed plugin/theme and requires the *Live Composer* plugin to be installed and active. **CVE-2025-12062** affects *WP Maps* (<= `4.8.6`) and enables **authenticated (Subscriber+) limited local file inclusion** via `fc_load_template`, potentially leading to sensitive data exposure or code execution in scenarios where attacker-controlled `.html` content can be uploaded and then included. Separately, Joomla sites using the **Novarain/Tassos Framework** (`plg_system_nrframework`) face critical issues enabling **unauthenticated file read, file deletion, and SQL injection**, which can be chained toward **administrator takeover** and potentially **persistent RCE**. The reported weaknesses stem from an AJAX handler that processes `task=include` without sufficient hardening, allowing attackers to reach internal classes implementing `onAjax` and abuse gadget-like behaviors (e.g., CSV loading for arbitrary file read, a `remove` action for path deletion, and attacker-influenced query construction for SQL injection). The risk propagates through multiple popular Tassos extensions that bundle the framework (including **Convert Forms**, **EngageBox**, **Google Structured Data**, **Advanced Custom Fields**, and **Smile Pack**), and remediation requires applying vendor updates for affected releases.
Mar 21, 2026
Thymeleaf SSTI Bypass Enables Expression Injection in Spring Java Apps
A critical flaw tracked as **`CVE-2026-40478`** allows attackers to bypass Thymeleaf’s expression-injection protections and achieve **server-side template injection (SSTI)** in applications that pass unvalidated user input into the template engine. The vulnerability affects **Thymeleaf 3.1.3.RELEASE and earlier** and stems from improper neutralization of syntax patterns in expression execution, including a whitespace parsing mismatch that let attackers evade detection of the SpEL `new` keyword and an incomplete type blocklist that still allowed dangerous class instantiation. The issue is mapped to **`CWE-917`** and **`CWE-1336`**, with a published **CVSS v3.1** vector of **`AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H`**. Researchers said successful exploitation can enable arbitrary file writes and potentially remote code execution in **Spring-based Java applications**, where Thymeleaf is commonly used as the default template engine in Spring Boot. The flaw can be exploited remotely without authentication when attacker-controlled input reaches Thymeleaf expression parsing, view names, or fragment selectors. The issue is addressed in **`3.1.4.RELEASE`**, which normalizes whitespace before checks, expands external-access detection, restricts dangerous expression objects, and tightens type restrictions; defenders are urged to upgrade **`thymeleaf`**, **`thymeleaf-spring5`**, and **`thymeleaf-spring6`** and review applications to ensure untrusted input is never interpreted as template expressions.
Apr 29, 2026