Opencart Opencart

  1. Vendors
  2. Opencart

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Opencart product.

RSS Feeds for Opencart security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Opencart products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Opencart Sorted by Most Security Vulnerabilities since 2018

Opencart32 vulnerabilities

Opencart Core1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in Opencart with an average score of 5.9 out of ten. Last year, in 2025 Opencart had 7 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Opencart in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.09.




Year Vulnerabilities Average Score
2026 3 5.87
2025 7 4.78
2024 7 6.33
2023 4 8.65
2022 2 7.35
2021 0 0.00
2020 5 4.66
2019 1 0.00
2018 3 8.80

It may take a day or so for new Opencart vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Opencart Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-5331 Apr 02, 2026
OpenCart 4.1.0.3 Path Traversal Extension Installer A vulnerability was determined in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Opencart
CVE-2024-58341 Mar 25, 2026
OpenCart 4.0.2.3 Core SQLi in Search Endpoint OpenCart Core 4.0.2.3 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'search' parameter. Attackers can send GET requests to the product search endpoint with malicious 'search' values to extract sensitive database information using boolean-based blind or time-based blind SQL injection techniques.
Opencart
Opencart Core
CVE-2026-3714 Mar 08, 2026
OpenCart 4.0.2.3 Template Engine Neutralization Flaw (RCE) A vulnerability has been found in OpenCart 4.0.2.3. Affected by this issue is the function Save of the file admin/controller/design/template.php of the component Incomplete Fix CVE-2024-36694. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Opencart
CVE-2025-15116 Dec 28, 2025
OpenCart SRCCHandler Race Condition CVE-2025-15116 (4.1.0.3) A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Opencart
CVE-2025-45892 Jul 25, 2025
OpenCart 4.1.0.4 Stored XSS via Blog Editor (CVE-2025-45892) OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript code
Opencart
CVE-2025-45893 Jul 25, 2025
OpenCart 4.1.0.4 Stored XSS via Unsanitized SVG Upload OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript
Opencart
CVE-2025-1746 Feb 28, 2025
OpenCart <4.1.0 XSS via /product/search Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
Opencart
CVE-2025-1747 Feb 28, 2025
OpenCart <4.1.0: HTML Injection via /account/login Param HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login.
Opencart
CVE-2025-1749 Feb 28, 2025
OpenCart <4.1.0: HTML Injection via /account/voucher Param HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher.
Opencart
CVE-2025-1748 Feb 28, 2025
OpenCart <4.1.0 HTML injection via /account/register URL param HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register.
Opencart
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.