Share
## https://sploitus.com/exploit?id=PACKETSTORM:218781
# CVE-2026-23498: Shopware Has Improper Control of Generation of Code in Twig rendered views
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2026-23498](https://nvd.nist.gov/vuln/detail/CVE-2026-23498) |
    | **Severity** | HIGH |
    | **Advisory** | [View Advisory](https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **shopware/shopware** (versions: >= 6.7.0.0, < 6.7.6.1)
    - **shopware/core** (versions: >= 6.7.0.0, < 6.7.6.1)
    
    
    ## CWE Classification
    
    - CWE-94: Improper Control of Generation of Code ('Code Injection')
    
    ## Details
    
    ### Impact
    We fixed with [CVE-2023-2017](https://github.com/advisories/GHSA-7v2v-9rm4-7m8f) Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override
    
    ### Patches
    Patched in 6.7.6.1
    
    ### Workarounds
    Install the security plugin
    
    ### References
    (https://github.com/advisories/GHSA-7v2v-9rm4-7m8f)
    
    ## References
    
    - https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf
    - https://github.com/advisories/GHSA-7v2v-9rm4-7m8f
    - https://nvd.nist.gov/vuln/detail/CVE-2026-23498
    - https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475
    - https://github.com/advisories/GHSA-7cw6-7h3h-v8pf
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.