Unauthenticated remote code execution in JTL Shop
by Sansec Forensics Team
Published in Threat Research − June 17, 2026
Sansec found a critical template injection flaw in JTL Shop, one of the leading German ecommerce platforms, that lets an anonymous attacker steal database credentials and run code on the server. JTL has released patches for every supported branch. Store owners should upgrade now.
JTL responded fast and has released fixes for every supported branch: versions 5.5.4, 5.6.2 and 5.7.2, plus a back-patch covering 5.0.0 through 5.7.0. Every store owner running JTL Shop 5.2.0 or later should upgrade immediately.
A CVE is pending.
From data theft to code execution
The impact depends on the installed version.
On JTL Shop 5.2.0 and later, where the SSTI was introduced, an attacker can read server-side values through the injected template. That includes the BLOWFISH_KEY, the database host, name, user and password, and the shop configuration: SMTP and newsletter credentials, FTP and Redis settings, OAuth secrets and the stored SFTP private key.
On JTL Shop 5.4.0 and later, the shop registers unserialize and file_get_contents as Smarty modifiers. An attacker can write a webshell to the web root and execute commands as the web server user.
Affected versions
| Version range | Status |
|---|---|
| 5.0.0 – 5.1.8 | Not affected |
| 5.2.0 – 5.3.x | Vulnerable: credential and configuration theft |
| 5.4.0 – 5.7.1 | Vulnerable: full unauthenticated RCE |
| 5.5.4 / 5.6.2 / 5.7.2 | Fixed |
JTL also published a back-patch covering 5.0.0 through 5.7.0 for installations that cannot move to the latest point release in their branch.
Recommendations
- Upgrade to JTL Shop 5.5.4, 5.6.2 or 5.7.2, or apply JTL's back-patch for older 5.x installations. See the JTL announcement for download links.
- Rotate secrets after patching. Because this flaw exposes the Blowfish key, database password and stored credentials, treat them as compromised on any store that ran a vulnerable version exposed to the internet.
- Run eComscan if you suspect abuse, to detect webshells, backdoors and injected malware.
- Deploy Sansec Shield to block exploitation attempts in real time.
There is no evidence of active exploitation so far. That can change quickly once a patch points attackers at the vulnerable code, so unpatched stores face rising scanning pressure.
Scaling vulnerability research
This finding is part of a broader Sansec effort. We have been working around the clock to find and triage vulnerabilities in ecommerce platforms, and new AI-assisted research capabilities now let us cover far more code, far faster. Expect more disclosures from this program.
Timeline
| Date | Event |
|---|---|
| 2022-12-19 | SSTI introduced in JTL Shop 5.2.0 |
| 2024-10-29 | RCE path introduced in JTL Shop 5.4.0 |
| 2026-06-05 | Sansec reports the vulnerability to JTL |
| 2026-06-17 | JTL releases patched 5.5.4, 5.6.2 and 5.7.2; Sansec publishes |
Credit to the JTL team for a quick and professional response, and for shipping fixes across every supported branch.
Read more
In this article
Protect your store now!
Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.
Get Sansec ShieldScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce, Sylius and many more.
Learn more
