CRITICAL
JTL Software
CVE published 2026-06-18
CVE-2026-54390
A critical server-side template injection vulnerability exists in JTL Shop versions 5.2.0 through 5.7.1. This flaw allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Successful exploitation enables attackers to read sensitive server-side values, such as database credentials and encryption keys. On versions 5.4.0 [truncated]