Unrated

Server-Side Template Injection in JTL Shop Smarty Engine

IdentifiersCVE-2026-54390CWE-1336

CVE-2026-54390 is a critical server-side template injection (SSTI) vulnerability in JTL Shop versions 5.2.0 through 5.7.1. The flaw is caused by unsanitized user-supplied input being passed to the Smarty template engine, allowing unauthenticated remote attackers to inject and evaluate malicious template syntax on the server. Successful exploitation can disclose sensitive server-side data, including database credentials and encryption keys. In JTL Shop versions 5.4.0 through 5.7.1, the impact is more severe because attackers can abuse registered Smarty modifiers, including unserialize and file_get_contents, to write a webshell into the web root and achieve arbitrary command execution as the web server user.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The vulnerability enables unauthenticated remote compromise of affected JTL Shop instances. Across versions 5.2.0 through 5.7.1, attackers can read sensitive server-side values exposed through template evaluation, including database credentials and encryption keys, resulting in severe confidentiality impact. On versions 5.4.0 through 5.7.1, attackers can escalate from information disclosure to arbitrary command execution by writing a webshell to the web root and executing commands as the web server user, creating high confidentiality, integrity, and availability impact.

Mitigation

If you can’t patch tonight, do this now.

Sanitize and strictly validate all user-controlled input processed by the Smarty template engine. Prevent untrusted data from being interpreted as template syntax. As a defense-in-depth measure, review and restrict dangerous registered Smarty modifiers and template capabilities where possible, especially functionality that can enable file access, deserialization, or file writes.

Remediation

Patch, then assume compromise.

Upgrade JTL Shop to a patched version newer than 5.7.1 or the latest vendor-fixed release. Apply all vendor patches addressing this SSTI issue. Review and correct the vulnerable code path so that untrusted user input is not passed directly into the Smarty template engine for evaluation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Jtl-SoftwareJtl-Shopapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cvefeed high severityNews

Jun 18, 2026

CVE-2026-54390 - JTL Shop < 5.7.2 Server-Side Template Injection via Smarty Renderer

A critical server-side template injection vulnerability in JTL Shop that can allow unauthenticated attackers to read sensitive server-side data and, on versions 5.4.0 through 5.7.1, achieve webshell deployment and arbitrary command execution via Smarty modifiers.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54390

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54390

MITRE CWE · CWE-1336

cwe.mitre.org