Description
In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Published: 2026-02-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Plaintext password disclosure
Action: Apply patch
AI Analysis

Impact

The vulnerability allows stored passwords to be retrieved in plaintext through the user editing page. An attacker with enough privileges can see the passwords of all accounts, compromising user credentials and potentially enabling further account takeover or lateral movement. This weakness is identified as CWE‑256, reflecting the improper handling of sensitive data.

Affected Systems

The affected product is OpenSolution Quick.Cart. Version 6.7 has been confirmed vulnerable; no other version has been tested, and it is possible that earlier or later releases are also affected because the vendor has not specified a vulnerability range.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity, while the EPSS score of less than 1 % suggests a low probability of exploitation in the population at large. The vulnerability requires a user to possess high‑level privileges within the application to view the passwords, meaning exploitation likely requires administrative or equivalent access. The vulnerability is not currently listed in the CISA KEV database.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Await a vendor‑issued patch or upgrade to a version confirmed not to contain the flaw.
  • Force a password reset for all user accounts and reconfigure the application to store passwords using a strong hashing algorithm instead of plaintext.
  • Restrict access to the user editing page so that only strictly necessary roles can view user data, and monitor for any attempts to gain elevated privileges.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensolution:quick.cart:6.7:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Opensolution
Opensolution quick.cart
Vendors & Products Opensolution
Opensolution quick.cart

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Title Plaintext password display in Quick.Cart
Weaknesses CWE-256
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opensolution Quick.cart
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-02-05T14:29:00.428Z

Reserved: 2026-01-16T13:19:49.041Z

Link: CVE-2026-23797

cve-icon Vulnrichment

Updated: 2026-02-05T14:28:57.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-05T12:16:01.897

Modified: 2026-02-19T18:30:15.370

Link: CVE-2026-23797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses