Code Injection in Shopware - CVE-2023-22731
Published: January 17, 2023 / Updated: May 19, 2026
Shopware
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of generation of code in Twig rendered views when rendering Twig templates without the Sandbox extension. A remote attacker can refer to global PHP functions through Twig filters such as map, filter, or sort to execute arbitrary code.
Only Twig environments without the Sandbox extension are vulnerable.