Improper Neutralization of Special Elements Used in a Template Engine in Shopware - CVE-2023-2017
Published: April 17, 2023 / Updated: May 19, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in a template engine in Twig rendered views when processing crafted PHP closures passed as strings or arrays. A remote user can supply crafted PHP closures that bypass the allow list to execute arbitrary code.