Description
Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.
Published: 2026-05-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Opencart TMD Vendor System 3.x contains a blind SQL injection flaw in the product_id parameter of the product route. The vulnerability allows an unauthenticated attacker to inject and execute SQL code that is hidden from the user response, using time‑based or content‑based techniques. Successful exploitation can reveal sensitive data such as usernames, email addresses, and password reset codes stored in the oc_user table, which directly compromises the confidentiality of the application’s user database.

Affected Systems

Vendors affected include opencartextensions, specifically the Extension TMD Vendor System. The vulnerability impacts version 3.x of the plugin, though the precise release build is not listed. All installations using this version without the corresponding fix are susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. Without an EPSS score, the historical exploitation probability is unknown, but the flaw is unauthenticated and can be triggered via standard HTTP requests to the product route, making it widely exploitable from any network location. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers can leverage automated blind injection tools to enumerate database contents, leading to potential credential compromise and further lateral movement within the system.

Generated by OpenCVE AI on May 10, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TMD Vendor System to the latest patched release that eliminates the SQL injection vulnerability.
  • If a patch is unavailable, restrict access to the product route by implementing authentication checks or removing the vulnerable endpoint from public exposure.
  • Apply input validation or parameterized queries for the product_id field and consider a web application firewall rule set to detect and block SQL injection patterns.

Generated by OpenCVE AI on May 10, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Opencartextensions
Opencartextensions extension Tmd Vendor System
Vendors & Products Opencartextensions
Opencartextensions extension Tmd Vendor System

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.
Title Opencart TMD Vendor System 3.x Blind SQL Injection via product route
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opencartextensions Extension Tmd Vendor System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T14:44:48.543Z

Reserved: 2026-02-01T11:24:18.716Z

Link: CVE-2021-47928

cve-icon Vulnrichment

Updated: 2026-05-11T14:44:45.575Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:28.863

Modified: 2026-05-10T13:16:28.863

Link: CVE-2021-47928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:35Z

Weaknesses