CVE-2023-2017
published 2023-04-17CVE-2023-2017: Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.08%
79.2th percentile
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopware | core | >= 0 < 6.4.20.1 | 6.4.20.1 |
| shopware | core | >= 6.7.0.0 < 6.7.6.1 | 6.7.6.1 |
| shopware | platform | >= 0 < 6.4.20.1 | 6.4.20.1 |
| shopware | shopware | — | — |
| shopware | shopware | — | — |
| shopware | shopware | 6.1.0 – 6.4.20.0 | — |
| shopware | shopware | >= 6.7.0.0 < 6.7.6.1 | 6.7.6.1 |
| shopware | shopware | >= 6.7.0.0 < 6.7.6.1 | 6.7.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSTI exploitation attempts targeting Shopware 6 Twig environment by monitoring for usage of fully-qualified class/function names supplied as arrays of strings in template input, which is the specific bypass technique used to circumvent SecurityExtension validation. ↗
- →Monitor for bypass attempts against `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` — specifically inputs that pass validation checks but invoke arbitrary PHP callables through Twig templates outside the Sandbox extension. ↗
- →This CVE is a bypass of CVE-2023-22731; detection rules for CVE-2023-22731 may be insufficient — ensure coverage also accounts for array-of-strings callable references in Twig templates. ↗
- ·Vulnerability affects both shopware/core and shopware/platform GitHub repositories across Shopware 6 versions <= v6.4.20.0 and v6.5.0.0-rc1 through v6.5.0.0-rc4; patched in v6.4.20.1. ↗
- ·Exploitation requires the attacker to already have access to a Twig environment without the Sandbox extension enabled — not exploitable in default sandboxed configurations. ↗
- ·A regression of this CVE was later introduced in Shopware 6.7.0.0–6.7.6.0 (tracked as CVE-2026-23498), where array and PHP Closure inputs to the map() override were not checked against the allow list. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Shopware Has Improper Control of Generation of Code in Twig rendered views
ghsa·2026-01-14·CVSS 8.8
CVE-2026-23498 [HIGH] CWE-94 Shopware Has Improper Control of Generation of Code in Twig rendered views
Shopware Has Improper Control of Generation of Code in Twig rendered views
### Impact
We fixed with [CVE-2023-2017](https://github.com/advisories/GHSA-7v2v-9rm4-7m8f) Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override
### Patches
Patched in 6.7.6.1
### Workarounds
Install the security plugin
OSV
Shopware Has Improper Control of Generation of Code in Twig rendered views
osv·2026-01-14·CVSS 8.8
CVE-2026-23498 [HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views
Shopware Has Improper Control of Generation of Code in Twig rendered views
### Impact
We fixed with [CVE-2023-2017](https://github.com/advisories/GHSA-7v2v-9rm4-7m8f) Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override
### Patches
Patched in 6.7.6.1
### Workarounds
Install the security plugin
GHSA
Shopware Has Improper Control of Generation of Code in Twig rendered views
ghsa·2023-04-18·CVSS 8.8
CVE-2023-2017 [HIGH] CWE-1336 Shopware Has Improper Control of Generation of Code in Twig rendered views
Shopware Has Improper Control of Generation of Code in Twig rendered views
### Impact
We fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list
### Patches
The problem has been fixed with 6.4.20.1 with an improved override.
### Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
OSV
Shopware Has Improper Control of Generation of Code in Twig rendered views
osv·2023-04-18·CVSS 8.8
CVE-2023-2017 [HIGH] Shopware Has Improper Control of Generation of Code in Twig rendered views
Shopware Has Improper Control of Generation of Code in Twig rendered views
### Impact
We fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list
### Patches
The problem has been fixed with 6.4.20.1 with an improved override.
### Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
No detection rules found.
No public exploits indexed.
Checkpoint
31st October – Threat Intelligence Report
blogs_checkpoint·2022-10-31
CVE-2022-3723 31st October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 31st October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 31st October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
US-based communications company Twilio has disclosed a new data breach that occurred on June 2022 allegedly by the same threat actors behind the August hack. The hackers have used voice phishing to trick a Twilio employee into handling over their credentials, which the hackers then used to access customer information.
Cu
Checkpoint
10th October – Threat Intelligence Report
blogs_checkpoint·2022-10-10
CVE-2022-41352 10th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th October, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
CommonSpirit Health, the second-largest nonprofit hospital chain in the U.S with 140 hospitals and over 1,000 facilities in 21 states, suffered a cybersecurity incident that disrupted medical services across the country. Facilities in Iowa, Nebraska, Tennessee and Washington were among those affected. The nature of the at
Checkpoint
13th June – Threat Intelligence Report
blogs_checkpoint·2022-06-13
CVE-2022-30190 13th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The Italian municipality of Palermo has been victim of a ransomware attack that caused a large-scale service outage affecting over a million people. The attack was claimed by the Vice Society ransomware group, which used the double extortion ransomware
Shields Health Care Group, Massachusetts-based medical services provider, h
Checkpoint
28th June – Threat Intelligence Report
blogs_checkpoint·2021-06-28
CVE-2021-21998 28th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th June, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Russian-based threat group Nobelium is using password spraying and brute force attacks to gain access to corporate networks. The group, which was behind the SolarWinds supply-chain attack, deployed an information-stealing Trojan on a Microsoft customer support agent’s computer to steal information. Over half of the targets were
Wiz
CVE-2026-23498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-23498 [HIGH] CVE-2026-23498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23498 :
PHP vulnerability analysis and mitigation
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.
Source : NVD
## 7.2
Score
Published January 14, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
shopware/core
shopware/shopware
Sources
NVD
Composer Severity HIGH Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a priorit
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8fhttps://starlabs.sg/advisories/23/23-2017/https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8fhttps://starlabs.sg/advisories/23/23-2017/
2023-04-17
Published