Code Injection in Shopware - CVE-2023-22731

 

Code Injection in Shopware - CVE-2023-22731

Published: January 17, 2023 / Updated: May 19, 2026


Vulnerability identifier: #VU131885
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-22731
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Shopware
Affected software:
Shopware

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of generation of code in Twig rendered views when rendering Twig templates without the Sandbox extension. A remote attacker can refer to global PHP functions through Twig filters such as map, filter, or sort to execute arbitrary code.

Only Twig environments without the Sandbox extension are vulnerable.


How to mitigate CVE-2023-22731

Install security update from vendor's website.

Sources