CVE-2026-23796
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Analysis
Session fixation vulnerability in Quick.Cart allows attackers to set a user's session identifier before authentication. The session ID persists through login, enabling session hijacking of authenticated users.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Quick.Cart instances in production and document exposure scope; notify affected customers of potential risk; enable enhanced logging on authentication and session management. Within 7 days: Implement compensating controls (session regeneration enforcement, IP-based session validation); consider disabling Quick.Cart until mitigation is confirmed effective. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today