Vendor CVEs
Opencart
All CVEs
39 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-47923 | Cri | 0.64 | 9.8 | 0.00 | May 10, 2026 | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover… | ||
| CVE-2014-3990 | Cri | 0.57 | 9.8 | 0.07 | Mar 20, 2018 | The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP… | ||
| CVE-2021-47928 | Hig | 0.53 | 8.2 | 0.00 | May 10, 2026 | Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based… | ||
| CVE-2018-11231 | Hig | 0.53 | 8.1 | 0.09 | May 23, 2018 | In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information. | ||
| CVE-2016-10509 | Hig | 0.40 | 7.2 | 0.01 | Aug 31, 2017 | SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php. | ||
| CVE-2021-47946 | Med | 0.34 | 5.3 | 0.00 | May 10, 2026 | OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email… | ||
| CVE-2015-4671 | Med | 0.33 | 6.1 | 0.02 | Jan 12, 2016 | Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php. | ||
| CVE-2026-5331 | Med | 0.31 | 4.7 | 0.00 | Apr 2, 2026 | A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed… | ||
| CVE-2021-47953 | Med | 0.28 | 4.3 | 0.00 | May 10, 2026 | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the… | ||
| CVE-2025-15116 | Low | 0.24 | 3.7 | 0.00 | Dec 28, 2025 | A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is… | ||
| CVE-2024-21517 | Med | 0.20 | 4.2 | 0.00 | Jun 22, 2024 | This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in… | ||
| CVE-2024-21516 | Med | 0.20 | 4.2 | 0.00 | Jun 22, 2024 | This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously… | ||
| CVE-2024-21515 | Med | 0.20 | 4.2 | 0.00 | Jun 22, 2024 | This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then… | ||
| CVE-2009-1621 | 0.04 | — | 0.06 | May 12, 2009 | Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the route parameter. | |||
| CVE-2019-15081 | 0.03 | — | 0.02 | Aug 15, 2019 | OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages. | |||
| CVE-2024-58341 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values… | |||
| CVE-2026-3714 | 0.00 | — | 0.00 | Mar 8, 2026 | A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/design/template.php of the component Incomplete Fix CVE-2024-36694. Such manipulation leads to improper neutralization of special elements used in a… | |||
| CVE-2025-45893 | 0.00 | — | 0.00 | Jul 25, 2025 | OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file… | |||
| CVE-2025-45892 | 0.00 | — | 0.00 | Jul 25, 2025 | OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript… | |||
| CVE-2025-1749 | 0.00 | — | 0.00 | Feb 28, 2025 | HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher. | |||
| CVE-2025-1748 | 0.00 | — | 0.00 | Feb 28, 2025 | HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register. | |||
| CVE-2025-1747 | 0.00 | — | 0.00 | Feb 28, 2025 | HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login. | |||
| CVE-2025-1746 | 0.00 | — | 0.00 | Feb 28, 2025 | Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be… | |||
| CVE-2024-36694 | 0.00 | — | 0.01 | Dec 18, 2024 | OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function. | |||
| CVE-2024-21519 | 0.00 | — | 0.01 | Jun 22, 2024 | This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary… | |||
| CVE-2024-21518 | 0.00 | — | 0.14 | Jun 22, 2024 | This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary… | |||
| CVE-2023-47444 | 0.00 | — | 0.02 | Nov 15, 2023 | An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server. | |||
| CVE-2023-2315 | 0.00 | — | 0.01 | Sep 26, 2023 | Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server | |||
| CVE-2023-40834 | 0.00 | — | 0.01 | Sep 12, 2023 | OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter. | |||
| CVE-2020-20491 | 0.00 | — | 0.01 | Jun 20, 2023 | SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php. | |||
| CVE-2021-37823 | 0.00 | — | 0.01 | Nov 3, 2022 | OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background. | |||
| CVE-2022-41403 | 0.00 | — | 0.01 | Oct 12, 2022 | OpenCart 3.x Newsletter Custom Popup was discovered to contain a SQL injection vulnerability via the email parameter at index.php?route=extension/module/so_newletter_custom_popup/newsletter. | |||
| CVE-2022-34972 | 0.00 | — | 0.01 | Jul 5, 2022 | So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data. | |||
| CVE-2013-1891 | 0.00 | — | 0.06 | Jun 24, 2022 | In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed. | |||
| CVE-2011-3763 | 0.00 | — | 0.02 | Sep 24, 2011 | OpenCart 1.4.9.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by system/startup.php and certain other files. | |||
| CVE-2010-1610 | 0.00 | — | 0.01 | Apr 29, 2010 | Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication of an application administrator for requests that create an administrative account via a POST request with the route parameter set to… | |||
| CVE-2010-0956 | 0.00 | — | 0.01 | Mar 10, 2010 | SQL injection vulnerability in index.php in OpenCart 1.3.2 allows remote attackers to execute arbitrary SQL commands via the page parameter. | |||
| CVE-2009-1027 | 0.00 | — | 0.02 | Mar 20, 2009 | SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers to execute arbitrary SQL commands via the order parameter. | |||
| CVE-2008-3130 | 0.00 | — | 0.01 | Jul 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web script or HTML via the (1) firstname and (2) search parameters. NOTE: the provenance of this information is unknown; the details are obtained solely… |
- risk 0.64cvss 9.8epss 0.00
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover…
- risk 0.57cvss 9.8epss 0.07
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-side request forgery (SSRF) attacks or possibly conduct XML External Entity (XXE) attacks and execute arbitrary code via a crafted serialized PHP…
- risk 0.53cvss 8.2epss 0.00
Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based…
- risk 0.53cvss 8.1epss 0.09
In the Divido plugin for OpenCart, there is SQL injection. Attackers can use SQL injection to get some confidential information.
- risk 0.40cvss 7.2epss 0.01
SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before version 2.3.0.0 allows remote authenticated administrators to execute arbitrary SQL commands via a carrier (aka courier_id) parameter to openbay.php.
- risk 0.34cvss 5.3epss 0.00
OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email…
- risk 0.33cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php.
- risk 0.31cvss 4.7epss 0.00
A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed…
- risk 0.28cvss 4.3epss 0.00
OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the…
- risk 0.24cvss 3.7epss 0.00
A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is…
- risk 0.20cvss 4.2epss 0.00
This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in…
- risk 0.20cvss 4.2epss 0.00
This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously…
- risk 0.20cvss 4.2epss 0.00
This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then…
- CVE-2009-1621May 12, 2009risk 0.04cvss —epss 0.06
Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the route parameter.
- CVE-2019-15081Aug 15, 2019risk 0.03cvss —epss 0.02
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
- CVE-2024-58341Mar 25, 2026risk 0.00cvss —epss 0.00
OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values…
- CVE-2026-3714Mar 8, 2026risk 0.00cvss —epss 0.00
A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/design/template.php of the component Incomplete Fix CVE-2024-36694. Such manipulation leads to improper neutralization of special elements used in a…
- CVE-2025-45893Jul 25, 2025risk 0.00cvss —epss 0.00
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file…
- CVE-2025-45892Jul 25, 2025risk 0.00cvss —epss 0.00
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript…
- CVE-2025-1749Feb 28, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher.
- CVE-2025-1748Feb 28, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register.
- CVE-2025-1747Feb 28, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login.
- CVE-2025-1746Feb 28, 2025risk 0.00cvss —epss 0.00
Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be…
- CVE-2024-36694Dec 18, 2024risk 0.00cvss —epss 0.01
OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.
- CVE-2024-21519Jun 22, 2024risk 0.00cvss —epss 0.01
This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary…
- CVE-2024-21518Jun 22, 2024risk 0.00cvss —epss 0.14
This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary…
- CVE-2023-47444Nov 15, 2023risk 0.00cvss —epss 0.02
An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.
- CVE-2023-2315Sep 26, 2023risk 0.00cvss —epss 0.01
Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server
- CVE-2023-40834Sep 12, 2023risk 0.00cvss —epss 0.01
OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter.
- CVE-2020-20491Jun 20, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.
- CVE-2021-37823Nov 3, 2022risk 0.00cvss —epss 0.01
OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.
- CVE-2022-41403Oct 12, 2022risk 0.00cvss —epss 0.01
OpenCart 3.x Newsletter Custom Popup was discovered to contain a SQL injection vulnerability via the email parameter at index.php?route=extension/module/so_newletter_custom_popup/newsletter.
- CVE-2022-34972Jul 5, 2022risk 0.00cvss —epss 0.01
So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data.
- CVE-2013-1891Jun 24, 2022risk 0.00cvss —epss 0.06
In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.
- CVE-2011-3763Sep 24, 2011risk 0.00cvss —epss 0.02
OpenCart 1.4.9.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by system/startup.php and certain other files.
- CVE-2010-1610Apr 29, 2010risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication of an application administrator for requests that create an administrative account via a POST request with the route parameter set to…
- CVE-2010-0956Mar 10, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in index.php in OpenCart 1.3.2 allows remote attackers to execute arbitrary SQL commands via the page parameter.
- CVE-2009-1027Mar 20, 2009risk 0.00cvss —epss 0.02
SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers to execute arbitrary SQL commands via the order parameter.
- CVE-2008-3130Jul 10, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web script or HTML via the (1) firstname and (2) search parameters. NOTE: the provenance of this information is unknown; the details are obtained solely…