logo

Database

Lack of data validation In shopware/core

Description

Shopware Has Improper Control of Generation of Code in Twig rendered views

Impact

We fixed with CVE-2023-2017 Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override

Patches

Patched in 6.7.6.1

Workarounds

Install the security plugin

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-234982. NVD-2026-234983. OSV-2026-234984. GHSA-7cw6-7h3h-v8pf5. GHSA-7v2v-9rm4-7m8f6. GCVE-2026-23498

References

1. https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf2. https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.