Description
Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field
Published: 2026-04-15
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Mitigation
AI Analysis

Impact

This vulnerability is a command injection flaw located in the connect function of NietThijmen ShoppingCart 0.0.2. An attacker can insert arbitrary shell commands into the Port field, allowing them to execute code on the host that runs the application with the process’s privileges. The impact is the ability to modify, delete or exfiltrate data, establish persistence, or pivot to other systems on the network. The weakness is an input validation failure that permits injected shell commands to be interpreted by the system.

Affected Systems

The issue affects the open‑source NietThijmen ShoppingCart, version 0.0.2. No other vendors or product versions are currently listed as affected.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. Current exploitation probability is not specified. Attackers are likely to exploit this vulnerability by sending crafted requests that include malicious payloads in the Port field, triggering arbitrary command execution on the hosting server. No specific prerequisites besides access to the application are disclosed, meaning that the flaw could be abused by unauthenticated users if the Port field is exposed to them.

Generated by OpenCVE AI on April 16, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShoppingCart to a patched version if one is available
  • Validate and sanitize the Port field to ensure it contains only acceptable numeric values and reject any input that includes shell metacharacters
  • Constrain the permissions of the application process so that any executed commands have no ability to alter critical system files or services
  • Consider deploying a web application firewall to detect and block suspicious input patterns

Generated by OpenCVE AI on April 16, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Command Injection via Port Field in NietThijmen ShoppingCart Leading to Remote Code Execution

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Nietthijmen
Nietthijmen shoppingcart
Vendors & Products Nietthijmen
Nietthijmen shoppingcart

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field
References

Subscriptions

Nietthijmen Shoppingcart
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T17:27:22.513Z

Reserved: 2024-11-20T00:00:00.000Z

Link: CVE-2024-53412

cve-icon Vulnrichment

Updated: 2026-04-15T17:26:18.256Z

cve-icon NVD

Status : Received

Published: 2026-04-15T15:16:39.710

Modified: 2026-04-15T18:16:38.160

Link: CVE-2024-53412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses