Shopware Has Improper Control of Generation of Code in Twig rendered views
Description
Published to the GitHub Advisory Database
Jan 14, 2026
Reviewed
Jan 14, 2026
Published by the National Vulnerability Database
Jan 14, 2026
Last updated
Jan 14, 2026
Impact
We fixed with CVE-2023-2017 Twig filters to only be executed with allowed functions. However there was a regression that lead to an array and array crafted PHP Closure not checked being against allow list for the map(...) override
Patches
Patched in 6.7.6.1
Workarounds
Install the security plugin
References