Description
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.
Published: 2026-05-10
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenCart 3.0.3.8 mishandles the OCSESSID cookie, allowing an attacker to supply a crafted value that the server accepts as a valid session identifier. This flaw enables session fixation, where the attacker forces a known session ID on a victim, leading to session takeover and unauthorized access to the victim’s account. The weakness is a direct Authentication issue, classified as CWE‑290.

Affected Systems

The vulnerability affects the OpenCart 3.0.3.8 release. Systems running this exact version of the OpenCart e‑commerce platform are at risk, irrespective of the underlying operating system or hosting environment.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as Critical, reflecting high impact and exploitability. EPSS data is not available, so the actual likelihood of exploitation in the wild is unknown, but the lack of mitigations and the straightforward cookie manipulation make it relatively easy to exploit. The vulnerability is not listed in CISA’s KEV catalog at this time.

Generated by OpenCVE AI on May 10, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official OpenCart patch that updates 3.0.3.8 to a fixed version
  • If an official patch is not available, disable or remove the OCSESSID cookie handling in the application code
  • Configure the web server to enforce secure session cookie attributes and reject arbitrary session identifiers supplied by clients

Generated by OpenCVE AI on May 10, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts.
Title OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie
First Time appeared Opencart
Opencart opencart
Weaknesses CWE-290
CPEs cpe:2.3:a:opencart:opencart:3.0.3.8:*:*:*:*:*:*:*
Vendors & Products Opencart
Opencart opencart
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opencart Opencart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:45.985Z

Reserved: 2026-02-01T11:24:18.715Z

Link: CVE-2021-47923

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.170

Modified: 2026-05-10T13:16:28.170

Link: CVE-2021-47923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:45:14Z

Weaknesses