CVE-2026-3714 - Vulnerability Details

- OpenCart Incomplete Fix CVE-2024-36694 template.php save special elements used in a template engine

Description

A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/design/template.php of the component Incomplete Fix CVE-2024-36694. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-03-08

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue resides in the Save function of admin/controller/design/template.php and involves incomplete neutralization of special elements used by OpenCart’s template engine. Improper handling of these elements exposes the system to template injection, allowing a remote attacker to influence the rendering or behavior of templates. The CVSS base score of 5.1 indicates a moderate risk profile according to the available information.

Affected Systems

OpenCart 4.0.2.3. The vulnerable component is the admin controller template handling logic. No additional products or version ranges are listed beyond this specific release.

Risk and Exploitability

CVSS 5.1 reflects moderate severity, while the EPSS score of less than 1% denotes a low probability of exploitation in the near term. The vulnerability is not currently included in the CISA KEV catalog. Attack is feasible from a remote location; no known public exploits have been reported, but the potential for template injection can affect application behavior or expose sensitive data if an attacker can supply input to the template engine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

OpenCart

affected

Version	Status	Constraints
`4.0.2.3`	affected	—

Configuration 1 [-]

cpe:2.3:a:opencart:opencart:4.0.2.3:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opencart

95%

Version	Status	Scheme	Platform
`4.0.2.3`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenCart to a newer release that resolves template sanitization issues, if available.
Restrict administrative access by IP whitelisting or VPN, limiting exposure to remote attackers.
Implement or enforce input validation and sanitization for template data, or disable template usage for untrusted users.

Generated by OpenCVE AI on April 16, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00065.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://drive.google.com/file/d/1_ZCvICLKo8AOovDkKFHwsBxh-ciwbElS/view?usp=drive_link
https://vuldb.com/?ctiid.349659
https://vuldb.com/?id.349659
https://vuldb.com/?submit.765176

History

Wed, 11 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:opencart:opencart:4.0.2.3:::::::*

Sun, 08 Mar 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/design/template.php of the component Incomplete Fix CVE-2024-36694. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Title		OpenCart Incomplete Fix CVE-2024-36694 template.php save special elements used in a template engine
First Time appeared		Opencart Opencart opencart
Weaknesses		CWE-1336 CWE-791
CPEs		cpe:2.3:a:opencart:opencart::::::::
Vendors & Products		Opencart Opencart opencart
References		https://drive.google.com/file/d/1_ZCvICLKo8AOovDkKFHwsBxh-ciwbElS/view?usp=drive_link https://vuldb.com/?ctiid.349659 https://vuldb.com/?id.349659 https://vuldb.com/?submit.765176
Metrics		cvssV2_0 `{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Opencart Opencart

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-08T06:32:06.543Z

Updated: 2026-03-11T13:44:45.059Z

Reserved: 2026-03-07T10:59:21.497Z

Link: CVE-2026-3714

Vulnrichment

Updated: 2026-03-11T13:44:36.804Z

NVD

Status : Analyzed

Published: 2026-03-08T07:16:13.293

Modified: 2026-03-09T18:37:31.480

Link: CVE-2026-3714

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T10:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object