threat
engine
.sh
Back
·
··:··
Home
/
Product
/
opencart
Product
opencart
40 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2024-58341
all versions
OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries
8.2
HIGH
CVE-2026-3714
all versions
A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/desig
4.7
MEDIUM
CVE-2025-15116
<= 4.1.0.3
A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the compone
3.7
LOW
CVE-2025-45893
<= 4.1.0.4
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The
6.1
MEDIUM
CVE-2025-45892
<= 4.1.0.4
OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises
6.1
MEDIUM
CVE-2025-1749
< 4.1.0.0
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HT
4.7
MEDIUM
CVE-2025-1748
< 4.1.0.0
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HT
4.7
MEDIUM
CVE-2025-1747
< 4.1.0.0
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HT
4.7
MEDIUM
CVE-2025-1746
< 4.1.0.0
Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScrip
6.1
MEDIUM
CVE-2024-36694
all versions
OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.
7.2
HIGH
CVE-2024-21519
>= 4.0.0.0
This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the datab
6.6
MEDIUM
CVE-2024-21518
>= 4.0.0.0
This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer
7.2
HIGH
CVE-2024-21517
>= 4.0.0.0
This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect paramete
4.2
MEDIUM
CVE-2024-21516
>= 4.0.0.0
This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in th
4.2
MEDIUM
CVE-2024-21515
>= 4.0.0.0
This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename paramete
4.2
MEDIUM
CVE-2024-21514
all versions
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment ext
7.4
HIGH
CVE-2023-47444
>= 4.0.0.0 and <= 4.0.2.3
An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privilege can w
8.8
HIGH
CVE-2023-2315
>= 4.0.0.0 and <= 4.0.2.2
Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log compon
8.1
HIGH
CVE-2023-40834
all versions
OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing u
9.8
CRITICAL
CVE-2020-20491
>= 2.2.00 and <= 3.0.3.2
SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugi
7.2
HIGH
CVE-2021-37823
all versions
OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.
4.9
MEDIUM
CVE-2013-1891
>= 1.4.7 and <= 1.5.5.1
In OpenCart 1.4.7 to 1.5.5.1, implemented anti-traversal code in filemanager.php is ineffective and can be bypassed.
6.5
MEDIUM
CVE-2020-29471
all versions
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Profile Image. An admin can upload a profile image as a maliciou
4.8
MEDIUM
CVE-2020-29470
all versions
OpenCart 3.0.3.6 is affected by cross-site scripting (XSS) in the Subject field of mail. This vulnerability can allow an attacker
4.8
MEDIUM
CVE-2020-28838
all versions
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add t
3.5
LOW
CVE-2020-13980
all versions
OpenCart 3.0.3.3 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload sectio
4.8
MEDIUM
CVE-2020-10596
all versions
OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS attacks via a crafted filename in the users' image upload sectio
5.4
MEDIUM
CVE-2019-15081
>= 3.0.0.0 and <= 3.0.3.2
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of t
4.8
MEDIUM
CVE-2018-13067
<= 3.0.2.0
/upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/password URI
8.8
HIGH
CVE-2018-11495
<= 3.0.2.0
OpenCart through 3.0.2.0 allows directory traversal in the editDownload function in admin\model\catalog\download.php via admin/ind
4.9
MEDIUM
CVE-2018-11494
<= 3.0.2.0
The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move, xml, remo
8.0
HIGH
CVE-2014-3990
<= 1.5.6.4
The Cart::getProducts method in system/library/cart.php in OpenCart 1.5.6.4 and earlier allows remote attackers to conduct server-
9.8
CRITICAL
CVE-2016-10509
<= 2.3.0.0
SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCart before
7.2
HIGH
CVE-2015-4671
<= 2.1.0.1
Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML
6.1
MEDIUM
CVE-2011-3763
all versions
OpenCart 1.4.9.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the in
CVE-2010-1610
all versions
Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication
CVE-2010-0956
all versions
SQL injection vulnerability in index.php in OpenCart 1.3.2 allows remote attackers to execute arbitrary SQL commands via the page
CVE-2009-1621
all versions
Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a .. (dot dot
CVE-2009-1027
all versions
SQL injection vulnerability in OpenCart 1.1.8 allows remote attackers to execute arbitrary SQL commands via the order parameter.
CVE-2008-3130
all versions
Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin