VYPR
← All advisories
High severityOSV Advisory· Published Jan 14, 2026· Updated Jan 14, 2026

Shopware Improper Control of Generation of Code in Twig rendered views

CVE-2026-23498

Description

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shopware/shopwarePackagist
>= 6.7.0.0, < 6.7.6.16.7.6.1
shopware/corePackagist
>= 6.7.0.0, < 6.7.6.16.7.6.1

Affected products

1

Patches

1
3966b05590e2

fix: map in security extension for array callables

https://github.com/shopware/shopwareJonas ElferingJan 5, 2026via ghsa
commit
2 files changed · +6 1
  • src/Core/Framework/Adapter/Twig/SecurityExtension.php+5 0 modified
    @@ -45,6 +45,11 @@ public function map(?iterable $array, string|callable|\Closure $function): ?arra
             return null;
         }
 
+        if (\is_array($function)) {
+            $function = implode('::', $function);
+            \assert(\is_callable($function));
+        }
+
         if (\is_string($function) && !\in_array($function, $this->allowedPHPFunctions, true)) {
             throw AdapterException::securityFunctionNotAllowed($function);
         }
  • tests/unit/Core/Framework/Adapter/Twig/SecurityExtensionTest.php+1 1 modified
    @@ -185,7 +185,7 @@ class SecurityExtensionGadget
 {
     public static function do(): void
     {
-        throw new \Error('This should not be called');
+        // no op, do not throw as we need to check that an exception is thrown by the security extension, not here
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.