Skip to main content

Cs Cart

12 CVEs product

Monthly

CVE-2025-50850 HIGH This Week

Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rate limiting, or account lockout, letting remote attackers run automated password-guessing until a valid vendor credential is found. Success yields unauthorized access to a vendor's storefront administration account. A public write-up exists on GitHub, but there is no public exploit identified at time of analysis and no evidence of active exploitation; EPSS is low at 0.24% (15th percentile).

Authentication Bypass Cs Cart
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-50848 MEDIUM This Month

Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users of affected storefronts. An attacker who can upload files to the platform may submit a crafted HTML document subsequently served from the trusted store domain, allowing arbitrary JavaScript execution in victims' browsers or presentation of convincing fake login pages for credential harvesting. Publicly available exploit code exists on GitHub; the EPSS score of 0.22% (13th percentile) reflects low observed exploitation pressure and the vulnerability is not listed in the CISA KEV catalog.

File Upload XSS RCE Cs Cart
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-50847 MEDIUM This Month

Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated user's comparison list by tricking the victim into loading a crafted HTTP request. The impact is confined to unauthorized modification of the comparison list feature - no data exfiltration or account takeover is possible via this vector. No public exploit identified at time of analysis, and the EPSS score of 0.14% (4th percentile) reflects very low real-world exploitation interest.

CSRF Cs Cart
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2021-32202 MEDIUM This Month

In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cs Cart
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2017-15673 HIGH This Week

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Cs Cart
NVD
CVSS 3.0
7.2
EPSS
0.4%
CVE-2017-10886 MEDIUM This Month

Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Cs Cart Cs Cart Multivendor
NVD
CVSS 3.0
5.4
EPSS
0.3%
CVE-2017-2138 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Cs Cart Cs Cart Multivendor
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-2139 MEDIUM This Month

CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to bypass access restriction. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Cs Cart
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2016-4862 HIGH PATCH This Week

Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE PHP Cs Cart
NVD
CVSS 3.0
8.8
EPSS
2.4%
CVE-2015-2701 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Cs Cart
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
0.8%
CVE-2013-7317 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Cs Cart
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-0118 MEDIUM This Month

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cs Cart
NVD
CVSS 2.0
5.0
EPSS
0.3%
EPSS 0% CVSS 8.6
HIGH This Week

Credential brute-forcing against CS-Cart 4.18.3 is possible because the vendor login endpoint ships without CAPTCHA, rate limiting, or account lockout, letting remote attackers run automated password-guessing until a valid vendor credential is found. Success yields unauthorized access to a vendor's storefront administration account. A public write-up exists on GitHub, but there is no public exploit identified at time of analysis and no evidence of active exploitation; EPSS is low at 0.24% (15th percentile).

Authentication Bypass Cs Cart
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Unrestricted HTML file upload in CS-Cart 4.18.3 enables stored cross-site scripting and phishing attacks against users of affected storefronts. An attacker who can upload files to the platform may submit a crafted HTML document subsequently served from the trusted store domain, allowing arbitrary JavaScript execution in victims' browsers or presentation of convincing fake login pages for credential harvesting. Publicly available exploit code exists on GitHub; the EPSS score of 0.22% (13th percentile) reflects low observed exploitation pressure and the vulnerability is not listed in the CISA KEV catalog.

File Upload XSS RCE +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Cross-Site Request Forgery in CS-Cart 4.18.3 permits an attacker to silently add arbitrary products to an authenticated user's comparison list by tricking the victim into loading a crafted HTTP request. The impact is confined to unauthorized modification of the comparison list feature - no data exfiltration or account takeover is possible via this vector. No public exploit identified at time of analysis, and the EPSS score of 0.14% (4th percentile) reflects very low real-world exploitation interest.

CSRF Cs Cart
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM This Month

In CS-Cart version 4.11.1, it is possible to induce copy-paste XSS by manipulating the "post description" filed in the blog post creation page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cs Cart
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

The files function in the administration section in CS-Cart 4.6.2 and earlier allows attackers to execute arbitrary PHP code via vectors involving a custom page. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Cs Cart
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Cs Cart Cs Cart Multivendor
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Cs Cart Cs Cart Multivendor
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS-Cart Multivendor Japanese Edition v4.3.10 and earlier (excluding v2 and v3) allows remote attackers to bypass access restriction. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass PHP Cs Cart
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE PHP Cs Cart
NVD
EPSS 1% CVSS 6.8
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF Cs Cart
NVD Exploit-DB
EPSS 1% CVSS 4.3
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in CS-Cart before 4.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) settings_file or (2) data_file parameter to (a). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Cs Cart
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Cs Cart
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy