CVE-2026-23498

HIGH

Shopware 6.7.0.0-6.7.6.0 - Remote Code Execution via PHP Closure Allow List Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-23498. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-23498, a code injection vulnerability in Shopware's Twig template engine. It explains the regression in the patch for CVE-2023-2017, where array and PHP Closure inputs bypassed the allowlist for the map() function.

Description

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

Exploits (1)

nomisec WRITEUP
by lukasz-rybak · poc
https://github.com/lukasz-rybak/CVE-2026-23498

This repository provides a detailed technical analysis of CVE-2026-23498, a code injection vulnerability in Shopware's Twig template engine. It explains the regression in the patch for CVE-2023-2017, where array and PHP Closure inputs bypassed the allowlist for the map() function.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Shopware (versions >= 6.7.0.0, < 6.7.6.1)
No auth needed
Prerequisites: Access to a vulnerable Shopware instance
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.2
EPSS 0.0001
EPSS Percentile 2.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (3)
shopware/core 6.7.0.0 - 6.7.6.1Packagist
shopware/shopware 6.7.0.0 - 6.7.6.1
shopware/shopware 6.7.0.0 - 6.7.6.1Packagist
Published Jan 14, 2026
Tracked Since Feb 18, 2026