Description
AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed.
Published: 2026-05-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AmazCart CMS 3.4 contains a reflected XSS vulnerability that permits unauthenticated users to inject JavaScript through the search feature. Attackers can submit script tags as search terms; the input is reflected in search history or results, enabling arbitrary script execution in the victim’s browser.

Affected Systems

Spondonit AmazCart CMS version 3.4 is affected. No other versions or products are listed.

Risk and Exploitability

The CVSS score is 5.1, indicating medium severity. EPSS data is unavailable and the vulnerability is not listed in CISA KEV. The exploit requires only an unauthenticated user to submit a crafted search query; no special permissions or system access are required. An attacker can use the injected script to read cookies, deface pages, or conduct phishing within the context of the victim’s session.

Generated by OpenCVE AI on May 5, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor patch or upgrade AmazCart CMS to the latest released version where the XSS flaw is fixed.
  • Sanitise the search input on the server side and encode output to remove or neutralise <script> tags before they are rendered.
  • Deploy a Content Security Policy that blocks inline scripts and restricts script sources to approved domains, thereby limiting the effectiveness of reflected XSS payloads.

Generated by OpenCVE AI on May 5, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed.
Title AmazCart CMS 3.4 Reflected Cross-Site Scripting via Search
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T14:53:45.706Z

Reserved: 2026-01-10T01:51:52.986Z

Link: CVE-2023-54349

cve-icon Vulnrichment

Updated: 2026-05-05T14:53:30.795Z

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:17.440

Modified: 2026-05-05T12:16:17.440

Link: CVE-2023-54349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T12:30:24Z

Weaknesses