Is there a public PoC exploit available for CVE-2025-15116?

Yes, a public proof-of-concept exploit is available for CVE-2025-15116. Prioritise patching immediately. EPSS: 0.1%.

OpenCart CVE-2025-15116

Q: What is the CVSS score of CVE-2025-15116?

CVE-2025-15116 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Race Condition (CWE-362)

2025-12-28 cna@vuldb.com

Information Disclosure Race Condition Opencart

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 03:01 vuln.today

DescriptionNVD

A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

OpenCart versions up to 4.1.0.3 are vulnerable to a race condition in the Single-Use Coupon Handler component that allows remote attackers to perform unauthorized manipulation resulting in information disclosure. The attack requires high complexity and no authentication, with a CVSS score of 2.9 indicating low impact. Publicly available exploit code exists, though the vendor did not respond to early disclosure notification.

Technical ContextAI

The vulnerability exists in OpenCart's Single-Use Coupon Handler functionality, which manages the lifecycle and validation of promotional coupons restricted to single use. The underlying issue is a classic race condition (CWE-362), where concurrent requests to redeem the same coupon can bypass the single-use restriction due to improper synchronization between coupon validation and redemption logic. This timing-based flaw allows an attacker to exploit the window between when a coupon is validated as available and when it is marked as consumed, potentially allowing multiple redemptions or disclosure of coupon validity states. The affected product is OpenCart, a PHP-based e-commerce platform, with specific impact limited to the coupon subsystem.

RemediationAI

No vendor-released patch has been identified at time of analysis, as the OpenCart vendor did not respond to early disclosure. Users should upgrade to OpenCart 4.1.1 or later if available, or implement compensating controls to mitigate race condition exploitation. Mitigations include: (1) Enforce database-level locks on coupon redemption queries using SELECT FOR UPDATE or equivalent row-level locking to serialize concurrent coupon validation and marking as consumed, reducing the race window to near-zero; (2) Implement transaction-level isolation using serializable transaction isolation level (trade-off: potential performance impact on high-concurrency coupon usage); (3) Disable the Single-Use Coupon feature entirely if not operationally required, eliminating the vulnerable code path; (4) Monitor coupon redemption logs for duplicate uses within short time windows and alert on anomalies. Check https://vuldb.com/?id.338494 and vendor advisory channels for patch status updates.

CVE-2025-15116 vulnerability details – vuln.today

Back