CVE-2026-23498

HIGH

Shopware <6.7.6.1 - Code Injection

Title source: llm

Description

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

Exploits (1)

nomisec WRITEUP

by lukasz-rybak · poc

https://github.com/lukasz-rybak/CVE-2026-23498

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf

Scores

CVSS v3 7.2

EPSS 0.0002

EPSS Percentile 6.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (3)

shopware/core 6.7.0.0 - 6.7.6.1Packagist

shopware/shopware 6.7.0.0 - 6.7.6.1

shopware/shopware 6.7.0.0 - 6.7.6.1Packagist

Published Jan 14, 2026

Tracked Since Feb 18, 2026