The National Vulnerability Database on June 18, 2026 published CVE-2026-54390, a server-side template injection vulnerability in the e-commerce platform JTL Shop that NVD scores at 9.8 on the CVSS 3.1 scale and 9.3 on the newer CVSS 4.0 scale — both in the "critical" band. The record states the flaw affects JTL Shop versions 5.2.0 through 5.7.1, and that an attacker does not need to authenticate to reach it. The vector string NVD assigns, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, describes a network-reachable issue requiring no privileges and no user interaction, with high impact to confidentiality, integrity, and availability. The source identifier on the entry is disclosure@vulncheck.com, indicating VulnCheck acted as the assigning CNA.

According to the NVD description, the underlying problem is unsanitized user-supplied input being passed to the Smarty template engine, the templating layer JTL Shop uses to render storefront pages. The classification NVD applies is CWE-1336, "Improper Neutralization of Special Elements Used in a Template Engine." The record draws a line between two outcomes depending on the installed version: on the full affected range, an attacker can read sensitive server-side values, and on a narrower range, the same injection path can be escalated to writing files and executing commands.

"JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to unsanitized user-supplied input passed to the Smarty template engine. Attackers can exploit this flaw to read sensitive server-side values such as database credentials and encryption keys, and on versions 5.4.0 through 5.7.1, leverage registered Smarty modifiers including unserialize and file_get_contents to write a webshell to the web root and execute arbitrary commands as the web server user."— NVD, CVE-2026-54390, source

What the record describes

JTL Shop is a German-language e-commerce platform, and the NVD record frames the defect at the level of how the application hands input to its rendering layer rather than at any single feature. Server-side template injection occurs when user input is treated as part of a template rather than as data inside a template. The NVD description states that the input reaches the Smarty engine without sanitization, so an attacker who supplies template syntax has that syntax evaluated by the server. The record specifies what that grants at the lower end of the affected range: the ability to read sensitive server-side values, and it names two examples — database credentials and encryption keys. Those are the kinds of secrets that, once read, can extend an attacker's reach beyond the single request.

The record then describes a sharper outcome confined to versions 5.4.0 through 5.7.1. On those versions, NVD states, an attacker can leverage registered Smarty modifiers — the description names unserialize and file_get_contents — to write a webshell to the web root and execute arbitrary commands as the web server user. In CVSS terms that is the path from a high-confidentiality read to full integrity and availability impact, which is consistent with the 9.8 base score the record carries. The distinction between version 5.2.0–5.3.x and 5.4.0–5.7.1 in the description is a precise statement of how far the same root cause reaches on different builds, not a separate vulnerability.

Versions, scoring, and the referenced sources

The affected range as stated in the NVD record runs from 5.2.0 through 5.7.1. The references attached to the entry point to three external sources. NVD links a VulnCheck advisory titled "JTL Shop Server-Side Template Injection via Smarty Renderer," a Sansec research write-up on JTL Shop SSTI to remote code execution, and a JTL Software forum thread discussing JTL Shop 5.7.2. The presence of a 5.7.2 thread in the references aligns with the affected range topping out at 5.7.1.

NVD records two scoring systems for this entry. Under CVSS 3.1 the base score is 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Under CVSS 4.0 the base score is 9.3 with a vector that likewise marks the attack vector as network, attack complexity as low, and privileges and user interaction as none, while rating vulnerable-system confidentiality, integrity, and availability as high. The two scores reflect the same underlying assessment translated across two versions of the standard. Both place the entry firmly in the critical range, and both encode the same core facts a reader can confirm on the detail page: no authentication, no interaction, reachable over the network, with full impact to the affected system.

For a defender working from the primary record, the actionable facts are the version range, the unauthenticated network vector, and the two-tier impact: secret disclosure across the range, and code execution on 5.4.0–5.7.1. NVD does not, in this entry, state whether the flaw has been observed in active exploitation; the record is a vulnerability disclosure rather than an exploitation report, and it had not, as of publication, been added to CISA's Known Exploited Vulnerabilities catalog. Operators of JTL Shop installations can confirm their build against the 5.2.0–5.7.1 window stated in the record and consult the referenced JTL Software forum thread for the vendor's 5.7.2 release. The practical takeaway for defenders is to treat any storefront input that flows into Smarty rendering as a code-execution surface until the referenced update is applied, given that the record describes the read-secrets and write-webshell behavior as reachable without authentication.

This entry sits among a cluster of critical-severity CVEs the National Vulnerability Database published during the week of June 12 to June 18, 2026. As with every record in that set, the score, the affected versions, the weakness classification, and the impact statement above are taken directly from the NVD entry and its referenced advisories; readers can verify each by following the canonical detail URL to nvd.nist.gov.