Description
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials.
Published: 2026-04-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in Joomla VirtueMart Shopping‑Cart 4.0.12. By injecting JavaScript payloads into the keyword parameter of the product‑variants endpoint, an attacker can cause arbitrary scripts to run in the browsers of visitors. This can lead to theft of session tokens, credentials, or other sensitive information from the victim’s browser. The flaw is a classic input‑validation weakness that allows malicious content to be reflected back to the client.

Affected Systems

The vulnerability affects the VirtueMart Shopping‑Cart product, specifically version 4.0.12. Users running this version of the cart, including installations integrated with Joomla, are at risk.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Because the flaw is triggered by a crafted URL containing a malicious keyword, an attacker only needs to entice a victim to visit the URL, making it potentially exploitable in phishing campaigns or spam links. No authentication or privileged access is required for exploitation.

Generated by OpenCVE AI on April 9, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch for VirtueMart Shopping‑Cart or upgrade to a version that fixes the keyword parameter sanitization issue.
  • If a patch is unavailable, configure the cart to strip or encode script tags from the keyword parameter before rendering it.
  • Monitor for anomalous URLs and educate users about the risk of clicking untrusted links that target the product‑variants endpoint.

Generated by OpenCVE AI on April 9, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Virtuemart
Virtuemart cart
Vendors & Products Virtuemart
Virtuemart cart

Thu, 09 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials.
Title Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword
First Time appeared Cs-cart
Cs-cart cs-cart
Weaknesses CWE-79
CPEs cpe:2.3:a:cs-cart:cs-cart:4.0.12:*:*:*:*:*:*:*
Vendors & Products Cs-cart
Cs-cart cs-cart
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Cs-cart Cs-cart
Virtuemart Cart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T15:00:12.340Z

Reserved: 2026-04-09T20:42:08.468Z

Link: CVE-2023-54362

cve-icon Vulnrichment

Updated: 2026-04-13T14:59:38.705Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T21:16:05.717

Modified: 2026-04-15T15:00:32.790

Link: CVE-2023-54362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:12Z

Weaknesses