Description
Joomla! Component jCart for OpenCart 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the product_id parameter. Attackers can send GET requests to index.php with the option=com_jcart&route=product/product parameters and malicious product_id values to extract sensitive database information.
Published: 2026-06-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection in the jCart component for OpenCart 2.0, triggered through the product_id GET parameter. An unauthenticated attacker can craft a request to index.php with option=com_jcart&route=product/product and inject arbitrary SQL, allowing extraction of sensitive database content. This flaw maps to CWE-89 and can compromise the confidentiality of stored data.

Affected Systems

The affected product is the jCart component developed by Soft‑Php for OpenCart 2.0. The vendor list includes Soft‑Php and the component name jCart for OpenCart. No specific patched versions were listed in the advisory; thus all installations of the component in OpenCart 2.0 that contain the vulnerable code are considered affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The exploitation does performed purely via a crafted GET request, making it easily automated. Though the EPSS score is not available and the vulnerability is not listed in CISA KEV, the compound of high Attackers can readily gain read access to database tables.

Generated by OpenCVE AI on June 19, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the jCart component to the latest patched version released by Soft‑Php or replace it with a maintained alternative.
  • If a patch is unavailable, disable the com_jcart route or restrict it to authenticated users only, and remove the product_id parameter from public URLs.
  • Deploy a web application firewall or apply input‑validation rules that detect and block SQL injection patterns on the product_id parameter.

Generated by OpenCVE AI on June 19, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Soft-php
Soft-php jcart For Opencart
Vendors & Products Soft-php
Soft-php jcart For Opencart

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Joomla! Component jCart for OpenCart 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the product_id parameter. Attackers can send GET requests to index.php with the option=com_jcart&route=product/product parameters and malicious product_id values to extract sensitive database information.
Title Joomla! Component jCart for OpenCart 2.0 SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Soft-php Jcart For Opencart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T17:13:43.292Z

Reserved: 2026-06-19T15:11:21.441Z

Link: CVE-2017-20282

cve-icon Vulnrichment

Updated: 2026-06-22T17:02:46.866Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:07Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')