Description
OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database data exposure
Action: Immediate Patch
AI Analysis

Impact

OpenCart Core 4.0.2.3 is vulnerable to an unauthenticated SQL injection via the search parameter on the product search endpoint. An attacker can send specially crafted GET requests containing malicious SQL code that exploits insufficient input validation. The flaw allows boolean‑based blind or time‑based injection techniques, giving the attacker the ability to read sensitive data from the database, such as customer details and order information, thereby compromising confidentiality. The vulnerability is classified as CWE‑89 (SQL Injection).

Affected Systems

The affected product is Opencart OpenCart Core, specifically versions 4.0.2.3 and potentially 4.1.0.0 which contains the same code path. Systems running these versions without the latest patch are at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation can occur without authentication by sending a crafted GET request to the search endpoint, meaning that any remote visitor could potentially enumerate database contents if the attack is successful.

Generated by OpenCVE AI on March 27, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenCart Core to the latest release (4.1.0.0 or newer).
  • Ensure that the search parameter is properly sanitized or validated on the server side.
  • Verify that the application no longer processes raw input from the search query.
  • Monitor web application logs for suspicious search queries containing SQL syntax.

Generated by OpenCVE AI on March 27, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opencart:opencart:4.0.2.3:*:*:*:*:*:*:*

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Opencart opencart
Vendors & Products Opencart opencart

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Opencart opencart Core
CPEs cpe:2.3:a:opencart:opencart:4.0.2.3:*:*:*:*:*:*:* cpe:2.3:a:opencart:opencart_core:4.0.2.3:*:*:*:*:*:*:*
cpe:2.3:a:opencart:opencart_core:4.1.0.0:*:*:*:*:*:*:*
Vendors & Products Opencart opencart
Opencart opencart Core

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.
Title OpenCart Core 4.0.2.3 SQL Injection via search Parameter
First Time appeared Opencart
Opencart opencart
Weaknesses CWE-89
CPEs cpe:2.3:a:opencart:opencart:4.0.2.3:*:*:*:*:*:*:*
Vendors & Products Opencart
Opencart opencart
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opencart Opencart Opencart Core
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-25T20:04:45.707Z

Reserved: 2026-03-14T21:24:47.537Z

Link: CVE-2024-58341

cve-icon Vulnrichment

Updated: 2026-03-25T20:04:41.316Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T16:16:07.400

Modified: 2026-03-27T19:24:38.960

Link: CVE-2024-58341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:24Z

Weaknesses