DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23498: Shopware 6: Mapping Your Way to RCE via Twig Type Juggling

#security #cve #cybersecurity

Shopware 6: Mapping Your Way to RCE via Twig Type Juggling

Vulnerability ID: CVE-2026-23498
CVSS Score: 9.8
Published: 2026-01-14

A critical logic flaw in Shopware 6's Twig SecurityExtension allows attackers to bypass the function allowlist. By leveraging PHP's loose typing and passing array-based callables to the 'map' filter, attackers can evade security checks and execute arbitrary PHP methods, leading to Remote Code Execution (RCE).

TL;DR

Shopware tried to sandbox Twig by checking if function names were allowlisted strings. They forgot that PHP functions can also be called as arrays (e.g., ['Class', 'Method']). This vulnerability exploits that oversight to bypass the sandbox completely, turning a simple template rendering engine into a remote shell.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (Twig Template Injection)
  • CVSS v3.1: 9.8 (Critical)
  • CWE ID: CWE-843
  • CWE Name: Access of Resource Using Incompatible Type ('Type Confusion')
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept (PoC)

Affected Systems

  • Shopware 6 Core
  • Shopware 6 Professional
  • Shopware 6 Enterprise
  • Shopware 6: < 6.6.x (Patched Jan 2026) (Fixed in: Post-Jan-5-2026 Release)

Code Analysis

Commit: 3966b05

Fix security bypass in Twig SecurityExtension map filter

@@ -45,6 +45,11 @@ public function map(?iterable $array, string|callable|\Closure $function): ?arra
             return null;
         }

+        if (\is_array($function)) {
+            $function = implode('::', $function);
+            \assert(\is_callable($function));
+        }
+
         if (\is_string($function) && !\in_array($function, $this->allowedPHPFunctions, true)) {
             throw AdapterException::securityFunctionNotAllowed($function);
         }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Researcher Analysis: Payload derived from patch analysis: {{ ['id']|map(['Class', 'Method']) }}

Mitigation Strategies

  • Restrict access to Twig template editing to trusted administrators only.
  • Implement file integrity monitoring on core Shopware files.
  • Disable dangerous PHP functions (exec, system, shell_exec) in php.ini as a defense-in-depth measure.

Remediation Steps:

  1. Update Shopware 6 immediately to the latest version containing the patch.
  2. If immediate update is not possible, manually apply the patch to src/Core/Framework/Adapter/Twig/SecurityExtension.php.
  3. Audit all custom Twig templates for suspicious usage of the map filter.

References

Read the full report for CVE-2026-23498 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)