CVE-2026-23498

Published: Jan 14, 2026Modified: Jan 28, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

Affected (1)

Products: Shopware: Shopware

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopware Shopware	From 6.7.0.0 to 6.7.6.1

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475

Source: security-advisories@github.com

Patch

https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf

Source: security-advisories@github.com

Third Party Advisory

Timeline

No history available yet.