CVE-2026-23498

EUVD-2026-2421
Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Affected Products (NVD)
VendorProductVersion
shopwareshopware
6.7.0.0 ≤
𝑥
< 6.7.6.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475
https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf