VYPR
Vendor

Opencart

Products
1
CVEs
39
Across products
39
Status
Private

Products

1

Recent CVEs

39
View all 39 CVEs →
  • CVE-2021-47923CriMay 10, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover…

  • CVE-2014-3990CriMar 20, 2018
    risk 0.57cvss 9.8epss 0.07

    The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP…

  • CVE-2021-47928HigMay 10, 2026
    risk 0.53cvss 8.2epss 0.00

    Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based…

  • CVE-2018-11231HigMay 23, 2018
    risk 0.53cvss 8.1epss 0.09

    In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information.

  • CVE-2016-10509HigAug 31, 2017
    risk 0.40cvss 7.2epss 0.01

    SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php.

  • CVE-2021-47946MedMay 10, 2026
    risk 0.34cvss 5.3epss 0.00

    OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email…

  • CVE-2015-4671MedJan 12, 2016
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php.

  • CVE-2026-5331MedApr 2, 2026
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed…

  • CVE-2021-47953MedMay 10, 2026
    risk 0.28cvss 4.3epss 0.00

    OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the…

  • CVE-2025-15116LowDec 28, 2025
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is…

  • CVE-2024-21517MedJun 22, 2024
    risk 0.20cvss 4.2epss 0.00

    This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in…

  • CVE-2024-21516MedJun 22, 2024
    risk 0.20cvss 4.2epss 0.00

    This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously…

  • CVE-2024-21515MedJun 22, 2024
    risk 0.20cvss 4.2epss 0.00

    This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then…

  • CVE-2009-1621May 12, 2009
    risk 0.04cvss epss 0.06

    Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the route parameter.

  • CVE-2019-15081Aug 15, 2019
    risk 0.03cvss epss 0.02

    OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.

  • CVE-2024-58341Mar 25, 2026
    risk 0.00cvss epss 0.00

    OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values…

  • CVE-2026-3714Mar 8, 2026
    risk 0.00cvss epss 0.00

    A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/design/template.php of the component Incomplete Fix CVE-2024-36694. Such manipulation leads to improper neutralization of special elements used in a…

  • CVE-2025-45893Jul 25, 2025
    risk 0.00cvss epss 0.00

    OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file…

  • CVE-2025-45892Jul 25, 2025
    risk 0.00cvss epss 0.00

    OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript…

  • CVE-2025-1749Feb 28, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher.